Old Apache Code At Root of Android FakeID Mess 127
chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
Thankfully those will be patched right in a jiffy! (Score:2, Insightful)
Phew, good thing Android is open source and these vulnerabilities will be patched right away be all those "for profit" companies, who wouldn't want their users to get angry!
Giggity [youtube.com]
Re:Thankfully those will be patched right in a jif (Score:4, Insightful)
10% of the Google Play store wouldn't be malware.
It's not. That claim was typical hyperbole by an AV vendor desperately trying to find a market to sell their snake oil in now that Windows is in decline. The report they used even showed the Google Play Movies application as malware... They've since backed off the claim, but of course the mud (as intended) still sticks.
http://www.techrepublic.com/ar... [techrepublic.com]
Re:Thankfully those will be patched right in a jif (Score:3, Insightful)
Couldn't this be patched as part of an update to the Google Services Framework?
It is and has been.
There is close to zero chance that anyone will be affected by this "Android mess". It's a beat up.