Android Security Hole More Stupid Error Than Defect
Written by Harry Fairhead   
Wednesday, 10 July 2013

The news has been full of lots of scare stories of how a security hole found in the Android operating system could lead to malware taking over almost any device. The claims aren't too wild, but what is really interesting is that rather than being due to some deep-seated flaw in the security system the cause can only be described as a stupid error.

Androidgears

One of the key protection mechanisms in Android is that code is signed.  When an Android application is installed its cryptographic signature is checked to make sure it is the real thing and hasn't been tampered with.  This is fairly standard security but a flaw was made public last week by Jeff Forristal, of Bluebox Security.

The basic claim was that it was possible to change an Android app and have it installed without modifying its signature. The big problem was that the details of the exploit were to be presented at the Black Hat Briefings in August. So many people have been left wondering what sort of exploit this could be. Could it be that the signature used by Android is vulnerable to modification of contents that in some way don't affect the value of the computed signature? If so this would be a big fail for the crypto implementation. 

Now we have a taste of what the issue really is all about in the form of a demo script, which aims at proving that the exploit is practical. The script, created by Pau Oliva Fora, uses nothing but standard tools. First it takes a valid verifiable program and uses the APKTool to decompile it. Then you can recompile it adding new files that carry the payload code that does whatever it wants if the original app has root privileges. The new APK file can then be loaded into an Android device without the new files being checked against the signature.

The reason that this happens is that when the system requests the object corresponding to the key only one object is returned, even if there are two. If the first object is the file that validates correctly then the second version of the same file isn't checked at all. It is as if the valid files are used to mask the presence of the modified files. The second file in the APK is installed even though it is the first that is checked.

This is a serious security problem and it could be exploited, but it is a very silly mistake rather than a deep flaw within the security of the OS. Clearly the solution is to make the signature check process all of the files in the APK even if there are duplicates - or perhaps more simply disallow duplicates.

Some OEMs are already shipping the fix - for example Samsung including to Google Nexus devices.

Androidgears

More Information

Pau Oliva Fora's Proof Of Concept

Al Sutton's Explanation Of the Hack

Black Hat USA security conference 

Related Articles

Microsoft Offers $100,000 For Novel Exploits

Is Exploiting A Bug Hacking?

Smartphone Apps Track Users Even When Off

Crypto Made Easy

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, FacebookGoogle+ or Linkedin,  or sign up for our weekly newsletter.

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Banner


Julia 1.1 Adds Array Alternative
17/10/2024

Julia 1.1 has been released with improvements including a new Memory type that provides a lower-level container as an alternative to Array.



Effortless ERD Design With Prisma Markdown
21/10/2024

Prisma Markdown is a new tool that takes the pain out of drawing entity relationship diagrams. An essential help if your design is database driven rather than code driven.


More News

 

 

 

 

 

Last Updated ( Wednesday, 10 July 2013 )