A 'Fake ID' Flaw in Android Leaves Millions of Phones Vulnerable

A team of security researchers has discovered a security flaw in Google's mobile OS which affects handsets running versions up to and including 4.4—leaving a potential 82 percent of Android users at risk.

The vulnerability, discovered by Bluebox Labs and nicknamed Fake ID, stems from how app security is checked on Android. Each app gets its own unique cryptographic signature—it governs who can update it and what privileges it gets—and the whole system runs on a chain of identity certificates. The Guardian explains how this works:

There are "parent certificates" and "child certificates," which are checked against one another upon installation to ensure they match up and the app is trusted. The parent, usually handed down by the original software creator, effectively proves the child is worthy of being trusted, as part of what is known as the "certificate chain".

While this should in theory provide a decent level of security, Bluebox Labs claims that up until Kit Kat, Android didn't carry out enough checks on these certificates. In turn, that means that an identity could claim to be issued by another identity, when in actual fact it wasn't.

The upshot is that any app could contain a certificate that appears to be handed out by a trusted source—and Bluebox Labs have demonstrated this using Adobe Systems certificates—to abuse the privileges of the parent. Indeed, Adobe Systems certificates grant apps the right to load HTML code in all other applications—which could easily be used to run malicious code. The Android Near Field Communications certificate could similarly be abused to gain access to Google Wallet—putting financial data at jeopardy.

Bluebox Labs claims that Fake ID has been present in Android from version 2.1 to 4.4, but that still leaves 82.1 percent of OS installs vulnerable. A patch has now been issued by Google to Android partners and to the Android Open Source Project, but it could be a while before that makes it to your phone. So in the meantime, if you run a version older than Kit Kat, watch you back. [Guardian]

Image via Flickr / Uncalno