Old Apache Code At Root of Android FakeID Mess 127
chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
Re:Thankfully those will be patched right in a jif (Score:5, Interesting)
Not just that.. its already reasonably moot.
http://www.osnews.com/story/27868/Another_day_another_sensationalist_unfounded_security_story
"First, a patch been sent to OEMs and AOSP, but with Android's abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed"
Google reacted to this disclosure rapidly and well.
Of course such a vulnerability would probably never be FOUND in iOS or WinPhone, since they are closed source, and almost certainly never disclosed if it was.
Just update your play store, and you are safe unless you are sideloading (never a great idea)
If you are sideloading then if you leave verify apps on, its also no problem.
Google are also scanning all apps on Google Play to check no one has been trying this.
Yawn, another google/Android beatup trying to wag the dog. Not hard to guess where the spin is originating.
Re:Thankfully those will be patched right in a jif (Score:3, Interesting)
cell carriers? I have a google nexus (one) and it was abandoned BY GOOGLE, not the carriers, 2 years ago. no security fixes, no nothing. stuck at 2.2.something.
google fucked us over by saying that nexus phones are upgradable and supported. they are not - not by any reasonable definition of 'supported'. I can have linux kernel, ip-stack (etc) updates (at least for security) for 10+ yr old linux pc's. but a few yr old phone - NO WAY. google has the attention span of a 5 yr old.
should I have to throw away a $300 paid for phone that still works, electrically (at least)? this is why I hate android and hate google even more. they use the word 'linux' a lot but they bastardize it and abandon it and tell you 'go re-buy your phone'. sorry, that's not acceptable. not on a device that is less than 5 yrs old and still in perfect working condition. the only issue is the poor software and that will NEVER be fixed, it seems.
I hate google. totally fucking hate their whole development model for phones. (and that leaves me no choice since I also hate apple and their whole scheme of lock-in).
wish there was another choice. the whole mobile data thing really unnerves me with how bad the scene really is.
I guess I can't (or wont) install any apps since the certs can't be trusted (or the code that checks them) and so whatever apps I have now, that's what I have and won't ever have any more on this phone.
(and I fully expect the google fanboys to mod me down. they always do when I yell about their most holy and blessed google.)