The news has been full of lots of scare stories of how a security hole found in the Android operating system could lead to malware taking over almost any device. The claims aren't too wild, but what is really interesting is that rather than being due to some deep-seated flaw in the security system the cause can only be described as a stupid error.
One of the key protection mechanisms in Android is that code is signed. When an Android application is installed its cryptographic signature is checked to make sure it is the real thing and hasn't been tampered with. This is fairly standard security but a flaw was made public last week by Jeff Forristal, of Bluebox Security.
The basic claim was that it was possible to change an Android app and have it installed without modifying its signature. The big problem was that the details of the exploit were to be presented at the Black Hat Briefings in August. So many people have been left wondering what sort of exploit this could be. Could it be that the signature used by Android is vulnerable to modification of contents that in some way don't affect the value of the computed signature? If so this would be a big fail for the crypto implementation.
Now we have a taste of what the issue really is all about in the form of a demo script, which aims at proving that the exploit is practical. The script, created by Pau Oliva Fora, uses nothing but standard tools. First it takes a valid verifiable program and uses the APKTool to decompile it. Then you can recompile it adding new files that carry the payload code that does whatever it wants if the original app has root privileges. The new APK file can then be loaded into an Android device without the new files being checked against the signature.
The reason that this happens is that when the system requests the object corresponding to the key only one object is returned, even if there are two. If the first object is the file that validates correctly then the second version of the same file isn't checked at all. It is as if the valid files are used to mask the presence of the modified files. The second file in the APK is installed even though it is the first that is checked.
This is a serious security problem and it could be exploited, but it is a very silly mistake rather than a deep flaw within the security of the OS. Clearly the solution is to make the signature check process all of the files in the APK even if there are duplicates - or perhaps more simply disallow duplicates.
Some OEMs are already shipping the fix - for example Samsung including to Google Nexus devices.