Forgot your password?
typodupeerror
Android Open Source Security Apache

Old Apache Code At Root of Android FakeID Mess 127

Posted by Soulskill
from the write-once-run-anywhere dept.
chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."

The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
This discussion has been archived. No new comments can be posted.

Old Apache Code At Root of Android FakeID Mess

Comments Filter:
  • by Anonymous Coward

    Phew, good thing Android is open source and these vulnerabilities will be patched right away be all those "for profit" companies, who wouldn't want their users to get angry!

    Giggity [youtube.com]

    • by ShaunC (203807) on Tuesday July 29, 2014 @08:13PM (#47562105)

      The patch already exists [phandroid.com], now it's up to our cell carriers to distribute it.

      • by mightypenguin (593397) on Tuesday July 29, 2014 @08:24PM (#47562203)
        Actually the patch is already distributed without any manufacturer intervention required. http://www.osnews.com/story/27... [osnews.com]
        • There are craploads of devices discontinued by the manufacturers. Are they covered by the patch?
          • because unlike iOS which requires an upgrade of the OS to get a new Appstore, even on devices running 2.3, the Google Play app and Google Play Services can be updated to the latest release without any manufacturer or carrier involvement.
      • by trparky (846769)
        Couldn't this be patched as part of an update to the Google Services Framework? From what I understand, Google controls the Google Services Framework and can push updates even to phones/devices that haven't been updated by their network provider.
        • Re: (Score:3, Insightful)

          by Anonymous Coward

          Couldn't this be patched as part of an update to the Google Services Framework?

          It is and has been.

          There is close to zero chance that anyone will be affected by this "Android mess". It's a beat up.

      • by CastrTroy (595695)
        This is why I have a big problem with Android. The carriers have nothing to do with manufacturing or maintaining the phone. Why should they have anything to do with the update process. Updates should come straight from the manufacturer, and carriers should not have their own custom firmware. Or even better, all updates should come straight from Google. The only customizations at the manufacturer level should be applications which can be reinstalled (or uninstalled) at the customer's discretion. Apple doe
      • by thesupraman (179040) on Tuesday July 29, 2014 @09:37PM (#47562655)

        Not just that.. its already reasonably moot.

        http://www.osnews.com/story/27868/Another_day_another_sensationalist_unfounded_security_story
        "First, a patch been sent to OEMs and AOSP, but with Android's abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed"

        Google reacted to this disclosure rapidly and well.
        Of course such a vulnerability would probably never be FOUND in iOS or WinPhone, since they are closed source, and almost certainly never disclosed if it was.

        Just update your play store, and you are safe unless you are sideloading (never a great idea)
        If you are sideloading then if you leave verify apps on, its also no problem.

        Google are also scanning all apps on Google Play to check no one has been trying this.

        Yawn, another google/Android beatup trying to wag the dog. Not hard to guess where the spin is originating.

        • by Karlt1 (231423)

          Of course such a vulnerability would probably never be FOUND in iOS or WinPhone, since they are closed source, and almost certainly never disclosed if it was

          The last major security flaw in iOS was found in open source parts of iOS.

          http://nakedsecurity.sophos.co... [sophos.com]

          And all phones released since 2009 received the patch. (iPhone 3Gs and up)

          No not all of Android is open source and Google is close sourcing more and more of what is considered "Android" by most people.

      • Re: (Score:3, Interesting)

        cell carriers? I have a google nexus (one) and it was abandoned BY GOOGLE, not the carriers, 2 years ago. no security fixes, no nothing. stuck at 2.2.something.

        google fucked us over by saying that nexus phones are upgradable and supported. they are not - not by any reasonable definition of 'supported'. I can have linux kernel, ip-stack (etc) updates (at least for security) for 10+ yr old linux pc's. but a few yr old phone - NO WAY. google has the attention span of a 5 yr old.

        should I have to throw aw

        • You weren't abondoned, the core apps still receive updates. The N1 is fine on GB so long as youre using play and updating apps.

          If you want a full OS build then look for an aftermarket ROM like Cyanogenmod. I use my Desire Z (cousin of the n1) with Cyanogen 10 and it is fantastic. Do a bit of homework and leave your flaming for reddit.

        • by thegarbz (1787294)

          That's all good and fine but just realise that you are in fact the minority. 2 years is not an accepted life span for many devices, but for many phones it most definitely is. You can thank contracts that last that long and come with a "free" phone.

          • I can thank contracts? this was bought outright and from google. it used to be their flagship (yes, a long time ago, but that's not relevant). what is relevant is how google ACTS vs what they SAY. their action speaks volumes and if it wasn't google, with 10's of thousands of employees who are, supposedly, best-in-the-world - they SHOULD have at least one person to support older phones, at least for security and major bugfixes. to this day (and on its birth day) it had a problem with x,y screen calibrat

            • by thegarbz (1787294)

              I can thank contracts? this was bought outright and from google.

              Irrelevant. The market place in general works on 2 year contracts. Just because you do something different doesn't magically mean a company should support you for it.

              In my experience they acted perfectly fine. Compare say your Nexus which received 2 years worth of updates, to *any other Android phone* which never received any updates from the manufacturer.

              As for the calibration, I wonder why you didn't return the phone under warranty? You had a problem? Well 200000 other people didn't. There was no major pu

          • I can only assume that you rarely talk to non-geeks. I upgrade my phone roughly every 3 years and most of my non-geek friends have significantly older phones than me. Many of them get new phones only when a geeky relative upgrades and hands down their old device, so the least technical users end up with the least secure devices...
            • by thegarbz (1787294)

              Quite the opposite. Most "Geeks" I know bail out of their contract to get a new phone. The only person I know who doesn't have a phone on a plan is my mother. In every other case you get the latest phone for effectively free. That's how the brain works when you go from paying $40/month, contract expires, keep paying $40/month and a new phone arrives.

              Maybe your non-geek friends are on different relationships with their telecom companies than my .... err whole country.

              • Ah, you're in the USA? Here, most people have pre-pay plans (being locked into a contract is generally seen as negative, unless it comes with some really good deals) and so get the phone that they bought along with their SIM and then hang onto it until it breaks or someone gives them a new one. I don't think I know anyone who pays close to $40/month on a phone bill (a fifth to a tenth of that is common and it's hard for a contract that comes with a new phone to be that cheap). At that price, I'd probably
        • by Zuriel (1760072)

          The Nexus One was abandoned because Google said the hardware was too old. And they have a point - you have to jump through some major hoops to get a modern ROM onto it.

          The N1 has 512 MB internal flash, and the way it was partitioned meant Android 4.0 was larger than the N1's system partition. Its partitioning scheme dates from the days when apps couldn't be moved to the SD card, so the system partition is only barely big enough to hold Android 2.3 to allow the maximum possible space for apps. Sure, you can

          • bullshit excuse. I don't want or need new features. I want the 512 meg stuff TO WORK and not buzz at me when I touch the screen. or reboot (showing the shimmering X) during gps car use! or have their maps route me into a downtown (redwood city) when I'm really going from south san francisco to san jose. that is a pure route101 trip and yet, time after time, it sends me thru downtown RC when I didn't need to do that.

            gmail app is broken (I have to use k9 to read my gmail) - gmail app won't even poll for

            • by Zuriel (1760072)
              Updated software won't fit on the device is a bullshit excuse for not putting updated software on the device?
              • If security fixes take up significant amount of additional space, then something's being done wrong. Very very wrong.

                • by Zuriel (1760072)
                  It's more like you install a 17 gig OS on a 17 gig disk, and then they release a free service pack that adds a ton of stuff. From Face Unlock to data usage limits to VPNs to support for new screen dimensions. And it needs more space for all the extra code. And then they offer security updates that assume you have the free service pack. They didn't release security fixes for Windows XP SP3 and also backport the fixes to SP2 and SP1.
              • Well no, the excuse will be that google don't want to backport fixes from their 4.2 branch back to their 2.2 branch. And I can't blame them, such backporting is usually alot of work and everybody hates doing it. Plus of course there would be no direct revenue from the engineering effort, other than a certain amount of 'goodwill' (which can apparently be put down on the balance sheet, but that seems a bit nuts to me).

                So there's two problems, one - the new Apps/OS won't fix on your device and two - no-one wan

        • by coofercat (719737)

          > wish there was another choice. the whole mobile data thing really unnerves me with how bad the scene really is.

          http://jolla.com/ [jolla.com] ?

        • by c (8461)

          should I have to throw away a $300 paid for phone that still works, electrically (at least)?

          Well, there *is* an unofficial CM11 port [xda-developers.com]. It sounds like the limited memory and storage was a bit of a deal-breaker for everyone trying to support the Nexus One (even the alternate ROMs) until KitKat came along with its reduced resource needs. I suspect installing the Google Play Services stuff to get the app scanning might be asking a bit much.

          But yeah, generally speaking I don't disagree with your premise. The Nexu

      • by DrXym (126579)
        Cell carriers don't have to distribute it. Google could use their Play service and patch devices regardless of what the carrier did. They could even scan devices for active use of the exploit.
  • I call BS (Score:5, Funny)

    by Charliemopps (1157495) on Tuesday July 29, 2014 @08:45PM (#47562351)

    Why are we blaming yet another coding mistake on Native Americans?
    Native Americans are just as good as anyone at programming. I'd even say the Apache tribe has some top notch C++ people. Yes, the computers don't last long in the sweat lodges, but that's the price you pay for that "Made by real Americans" label.

    • by godrik (1287354)

      Too bad there is no "not funny" tag on slasdhot. This would be a perfect use case for it.

    • Re: (Score:2, Informative)

      by rahvin112 (446269)

      There is no tribe called simply the "Apache". Though, the word Apache is used in the name of several of the tribes that make up the ethnic group. There are numerous tribes in the Apache ethnic group. One of largest of these tribes is the Navajo which doesn't use the word Apache in the tribal name.

      • So you missed the fact that my statement was completely nonsensical and not based in reality? and yes, I mean more so than usual.

      • An ethnography Nazi!

        Didn't realize Slashdot had one of them.

        • by rahvin112 (446269)

          So does that make you a stupidity nazi who demands that no opportunity for the gaining of knowledge ever present itself?

          I was trying to relate a bit of what I consider interesting information in response to a rather stupid joke. I expected the person I replied to have a fit about it being a joke. I didn't expect someone to get mad that I imparted information that most people aren't aware of.

  • Kind of strange how all these reports of Open Source vulnerabilities are increasing recently. Despite the fact that, as in Heartbleed, hyped to the max, very few actual bad things seem to happen. Almost as if it were coordinated.

    • by Kardos (1348077)

      I see it as good news that security software is getting more attention. There was a lot of bug backlog that's finally getting fixed. Each bug a bug is fixed we slowly and steadily eliminate attack vectors. Heartbleed is undoubtedly one of the drivers of this renewed attention, as are the revelations that nation states are actively working to exploit weaknesses. Patching bugs is one of the ways ordinary people can work against mass surveillance.

      > Despite the fact that, as in Heartbleed, hyped to the max,

      • by Zxern (766543)

        One of the down sides of having fast, powerful and cheap computers today is that most users won't notice when they've been infected with a virus.

  • by countach (534280) on Tuesday July 29, 2014 @08:53PM (#47562403)

    I don't know the fine details of this bug, but am I the only one appalled at how obvious this bug sounds? It doesn't even properly check the certificate? I mean buffer overflows and such are one thing, but not properly testing your certificate code seems unforgivable.

    • Re:Appalling (Score:5, Informative)

      by swillden (191260) <shawn-ds@willden.org> on Tuesday July 29, 2014 @09:56PM (#47562755) Homepage Journal

      I don't know the fine details of this bug, but am I the only one appalled at how obvious this bug sounds? It doesn't even properly check the certificate? I mean buffer overflows and such are one thing, but not properly testing your certificate code seems unforgivable.

      No, it's not that it doesn't check certificates generally, it's that if there's an additional, extra certificate of a particular form in the list that forms an app's certificate chain (but isn't actually in the chain) then that extra certificate gets included in the list of signatures associated with an app... making other apps that query the signature list believe that the app is signed by a certificate it's not. This doesn't, for example, fool the Play store into believing an app is from developer A when it's really from developer B. But it can fool other apps. There are some apps that load others as plugins, and make decisions about which plugins to load based on whether they're signed by a particular key. This flaw allows malicious apps to subvert that, convincing the plugin-loading apps to execute them, thereby giving the malicious app the same permissions as the plugin-loading app.

      It's a serious security flaw, no doubt. But it's a little more subtle and less obvious than the summary makes it appear. Also, it appears that no app in the Play store, nor any of the other apps that Google has scanned, attempt to exploit the flaw. It's very easy to identify them by scanning the certificates in the package.

      I've implemented tests for certificate chain validation code several times (not in Android), and it never once occurred to me to test for this particular odd construction, nor, I think, would anyone else think to test for it without some specific reason. This sort of bug requires inspection of the code.

      (Disclaimer: I'm a member of the Android security team, but I'm not speaking in an official capacity, just summarizing what I've read of the vulnerability -- which isn't a great deal. Others on my team are well-informed, but I haven't followed this issue closely.)

  • Relying on Java for anything fundamental is going to bite you in the butt.

    • by tlhIngan (30335)

      Relying on Java for anything fundamental is going to bite you in the butt.

      Crap. That's like 90% of cellphones out there (the rest are iPhones). Between Android and featurephones, all of which rely on Java... (J2ME wasn't just a pipedream - practically all featurephones prior to the iPhone used it).

  • What did Apache expect when their code was written by Cowboys?

  • Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems.

    It's a good thing most actors aren't good at programming.

    Seriously, why do we feel we must constantly reel words, which were perfectly content in their familiar habitat, into the jargonic fold? "Actor"? Couldn't we have used one of dozens of words already used in everyday English: programmers, hackers, thieves, people? That last suggestion brings up another question: which of the two instances of the word "malicious" could safely be removed from the sentence? Both. After a long introduction about a security

    • by Kardos (1348077)

      Really? The summary describes a software flaw with grave security implications, and you weigh in with some whining about the use of 'actor' and a mediocre quality sentence?

      Education time: Some words have multiple meanings. Actor is one of them.

      actor
      noun: actor; plural noun: actors
      1. a person whose profession is acting on the stage, in movies, or on television.
      2. a participant in an action or process.

      It's bog standard to use the second sense in this

news: gotcha

Working...