Android Update Lets Malware Bypass Digital Signature Check 85
msm1267 writes "A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature — an action that would normally set off a red flag that something is amiss. Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said. The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected."
Looking forward to 1st August (Score:5, Insightful)
It will be really interesting to see what this vulnerability is, on the 1st of August, since all that can be gathered from the press release is essentially:
It is possible to change an APK without changing its signature, and Android will not notice. That does have big implications, but it isn't enough detail to say anything much more than "Oh, that's not good".
Re: (Score:1)
I'm curious; do you still get that $12 if you post as AC?
Re: (Score:1)
Re:Looking forward to 1st August (Score:5, Funny)
HOW can you COMPROMISE an APK file?
It USES HOSTS file!
When spooks insert exploits into your apps (Score:2)
I'm aware of the joke [slashdot.org]. Soon people will likely forget about APK the hosts file advocate, just as they have forgotten about Twitter the anti-M$ sock puppet master [slashdot.org].
But seriously, a hosts file blocks hostnames that you don't want programs on your device to connect to. That's all it does. It won't help when the spooks are MITMing your device's Internet connection to third-party Android package repositories like F-Droid and Amazon and inserting exploits of signature check failures like this.
Comment removed (Score:5, Insightful)
Re: (Score:3)
Re: (Score:2)
Technically, they could come from either. There is no guarantee that something from the Play store is clean. I also have to wonder what will happen to the millions of phones that simply don't get updates from the handset vendors. Granted the geek crowd can probably update most, but there will be literally millions upon millions that will have this vulnerability until they die or are replaced.
Re: (Score:3)
And most likely Google and AV vendors are very active in policing the store, putting apps through their paces in virtualized devices looking for suspicious behaviour, weeding out malware attempts, remote killing any installs of said malware. Whereas if some guy who installs an apk they got from a torrent site gets none of that and probably sta
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
ALL OSES, be they Windows, Linux, or OSX are frankly some of the most complex software platforms EVER created by man, and since man is fallible there WILL be bugs and if there are enough users to make it worth the trouble it WILL be exploited.
Which is why you have to consider the means by which software gets on the system. There are many, many computer platforms that have never had malware. Take an industrial controller - what's the mechanism by which malware can get on the device in the first place? Most of them aren't even connected to the internet.
they honestly didn't need to bother, people will happily infect their phones and tablets without a thought in the world. I swear its the damnedest thing, its like the SECOND you put it on another medium?
That's why the iOS single curated app store is a good idea. Ordinary users are just not computer security aware to protect themselves. Better than they can only access from a source that only has pr
Re: (Score:2)
ALL OSES, be they Windows, Linux, or OSX are frankly some of the most complex software platforms EVER created by man, and since man is fallible there WILL be bugs and if there are enough users to make it worth the trouble it WILL be exploited.
iOS still has a significant marketshare, yet an insignificant number of security breaches.
Sure, some of this could be (I say could because there isn't much evidence backing this) because iOS is a more locked down platform. But by your own thesis this platform should have plenty of security problems.
Re:Looking forward to 1st August (Score:5, Insightful)
I will wager a guess as to what the vulnerability is. If that is not it, then it just means there is another vulnerability.
I'll just state that I'm not sure this is it, as what I'm talking about is not trigerrable via an update. You would need root to trigger it.
The information I am writing here is a product of my own research. It may or may not be the same as discussed above, but the symptoms are similar enough that I think it is.
An APK is a zip file composed of two main parts. The compiled dalvik code (in a file called classes.dex), as well as the resources (spanning multiple files, exact format irrelevant here). All of those files are listed in a directory inside the APK with their hash, and that file is digitally signed. This is the Androidn signing process.
The code, however, is in a format that is not immediately usable. I'm a bit fuzzy on the specific details, but the general idea is that you would need to adapt it to load addresses, based on everything else running in the same address space (the framework, and other libraries, if applicable). As a result, when Android first sees an APK, it does "optimization", in which it essentially takes the dex file, does all of the necessary relocations, and stores it in a directory called "dalvik-cache". As long as none of the APKs on which this cache file depends changed (the cache file stores the hashes for the original APK and all other dependencies), then Android does not bother with the classes.dex file stored inside the APK. It simply loads the optimized dex (odex) directly from the cache whenever needed. Needless to say, the odex is not hashed and is not signed. If you change it, Android will load your modified code without complaining.
I had more to say, and typed it in and all, but then I got "Filter error: Lameness filter encountered" error. Probably too long. I think you will have to make do with the first half of my comment :-)
Shachar
Re:Looking forward to 1st August (Score:5, Insightful)
Second half of above comment:
It gets worse, however. Some vendors do not like the fact that after factory reset, the phone takes a long time to boot as it turns all of the dex files into odex files. They also do not like the fact that these files take space in the data partition, which is where downloaded APKs and application data is stored by default. As a result, Android has a mechanism by which you can place an APK in the system partition that is already odexed. The APK file does not contain a classes.dex file at all. Instead, next to the APK there is another file, called with the same base name and an .odex extension. On such a system, the original, signed, code is not around, and all of the actual code of the application is unsigned.
The severity of this attack, scary though it may sound, is not very high. You need root access in order to change the system folder or access the dalvik-cache directory. There is no privilege escalation. Just running unsigned code that seems to be signed. Also, any change to other parts of the system will invalidate the cache, and cause your exploit to disappear.
All in all, an interesting, but not very scary, vulnerability.
Shachar
Re:Looking forward to 1st August (Score:5, Informative)
Re: (Score:2)
Quoting Andy Fadden, an Android systems engineer, from his recent StackOverflow answer on this subject [stackoverflow.com]:
yeah.. if it really needs local root.. then .. what the fucking kind of exploit is that ?
Re:Looking forward to 1st August (Score:4, Funny)
Pffft... Like carriers push updates.
Re: (Score:3, Interesting)
So you can only get infected if you side load apks from sketchy sources. Play store users are safe.
How is this any different if you side load apps on iOS devices?
Re: (Score:1)
You need to tick the checkbox that allows sideloading. With this vulnerability you don't need to tick the checkbox.
Re: (Score:2)
Actually, since Google have already patched the Play Store, it's still a safe channel. So you'd still have to sideload to risk being affected.
Re: (Score:1)
Actually, since Google have already patched the Play Store, it's still a safe channel. So you'd still have to sideload to risk being affected.
Yeah but you don't need to tick the check box that says "allow apps from unauthorized sources".
Re: (Score:2)
Re: (Score:2)
The problem is that Google get more an more app out of the play store (eg: GameCIH (memory editor), Rooting app...). Now it is hard to find these app, you need to go to shaddy places to sideload them. This is 'great' for security :(
Re: (Score:2)
So by extension, if you want to remain safe, you need to revert the device back to functionality apple provides with iOS.
Why do i want to run android again?
Re: (Score:2)
there's a bigger difference betweent iOS and Android then just Sideloading. Change the default apps for email, maps, etc to whatever you want. Skin the UI. Make the choice and run a rooted custom version of Android. Different selection of handset sizes. Etc.
If anything, Sideloading is pretty useless for the majority of users. Its the other things that people use generally that makes Android different.
Re: (Score:2)
Because *you* consider the options and make the choice for yourself, instead of some corporation that doesn't know anything about your situation.
If you don't trust yourself with that responsibility, then of course you're free to hand it to Apple instead.
Re: (Score:2, Informative)
Play store apps are safe NOW since Google was alerted to this in February and had a chance to update their scanners.
But there's still plenty of ways of sideloading apps and who knows if they're sketchy? The problem is Android does not allow sideloading apps from certain alternative stores - it's either Play Store only or everyone.
E.g., if you use A
Re: (Score:2)
So you can only get infected if you side load apks from sketchy sources. Play store users are safe.
How is this any different if you side load apps on iOS devices?
[assuming iOS had the same vulnerability...]
"Sideloading" from other stores is standard feature of Android. It's not with iOS. Thus this can hit ordinary users with standard Android phones. But not ordinary users with standard iOS.
The step to iOS Jailbreaking is far more of a jump, and an awareness that it breaks security protection than changing a preferences option in Android.
Furthermore, lets assume that in each case, the vulnerability is fixed with the next minor version of the OS. On iOS, the majority
Re: (Score:1)
I'm sorry, but I have a hunch that anybody involved in the android modding community already knows what this "vulnerability" is. I just hope it's not what I think it is, cuz I like to mod my phone, and if they "fix" this, it puts an end to my hobby.
Re:Looking forward to 1st August (Score:5, Informative)
APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.
Either way, you will still need to trick people into installing your version of the apk.
Re: (Score:1)
APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.
Either way, you will still need to trick people into installing your version of the apk.
My guess is this: android just checks the first files matching in the jar/zip for the names, but installs the files found last in the jar(or vice versa, zip files can have multiples of the same filename).
Re: (Score:3)
APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.
AIUI, at least part of the APK signature verification only happens when you first install the APK. If you modify the file on the data partition (for which you would require root access), you can actually change the code and android does not notice that it no longer has a valid signature. I have done this, years ago, on a Froyo install for a phone that was running on a very slow processor, in order to remove certain delays (e.g. animation of screen on/off, which was taking too long). Nothing ever noticed
Re: (Score:2)
It is possible to change an APK without changing its signature, and Android will not notice.
Just don't forget to update your hosts file.
900 million is a pretty big number (Score:1)
I wonder how many of these 'vulnerabilities' are intentional, and get patched only when caught. Obviously these contraptions are wide open
Re:900 million is a pretty big number (Score:5, Insightful)
And thus we dispel one of the many myths of open source. F/OSS is not bad and proprietary software is not necessarily better in any way or any of that shit but the cold hard fact is that even if you have access to the source code this sort of thing is going to happen! Nobody is reading and understanding all the code in its entirety being assured that there are no vulnerabilities or backdoors, no matter how much the fossies like to believe it.
I'm not advocating one way or the other, just sayin that whole argument about security because we have access to the sourcecode is rubbish.
Re: (Score:3)
One of the things I've liked about open source is that it makes vulnerabilities more accessible. I mean that I like that from a user's point of view. If vulnerabilities are easier to discover, then it's easier for them to become publicized and fixed, especially if many vulnerabilities are discovered coincidentally by many groups. If vulnerabilities are hard to discover, then only someone spending all their time searching for vulnerabilities is likely to find it (as opposed to users or system administrators
Re: (Score:1)
The first question anyone should ask before buying any Android device is "can I install a custom ROM on this?"
thanks for the laugh, the funny thing is there are actually people so disconnected from reality that they would actually believe that.
Android fragmenting (Score:4, Interesting)
Re: (Score:2)
Proprietary software has no advantages [and] is always crap.
I agree with you that free software has proven itself excellent for libraries and frameworks. But there are a few kinds of software [pineight.com] that free software hasn't been able to match, such as video games, playback software for digitally restricted motion pictures, and tax preparation software. As I've said before, he "year of the FOSS desktop" is the year when these get ported [slashdot.org].
the fragmentation [of the Android platform]
is a feature! not a bug!
It's a bug when it includes the habit on the part of certain device manufacturers and wireless carriers of not comp
Re:Android fragmenting (Score:5, Interesting)
Regardless of the infection, you still need physical access to the APK in question in order to circumvent its security, which seems like a feat in itself. I suppose this is akin to a local security rights elevation. Its a big deal, but doubtfully something that would reach mass infection levels.
Re: (Score:2)
Regardless of the infection, you still need physical access to the APK in question in order to circumvent its security, which seems like a feat in itself. I suppose this is akin to a local security rights elevation. Its a big deal, but doubtfully something that would reach mass infection levels.
I don't know about that.. 3d printers are pretty popular nowadays.
Re: (Score:3, Insightful)
Patches? Hahahahahahaha
I'm pretty sure my carrier forgot my phone model existed the moment they sold it to me. It's a buggy piece of shit that hasn't ever gotten any patches.
If google were competent... (Score:5, Funny)
If Google were competent they would have shipped Android with a modified HOSTS FILE. Hosts files can protect you from APK modification and cubic time bastards.
Re:If google were competent... (Score:5, Funny)
I'm curious, how would a different hosts file help you in this situation?
It makes it easier for you to recognize jokes than the default hosts file does.
Re: (Score:1)
Re: (Score:2)
The moderation (+4, Funny) should have been a dead giveaway....
Ah, Java... (Score:2, Insightful)
...write once, zero-day everywhere!
Android is based on Linux (Score:1)
Re: (Score:2)
Android != Linux. Digitial signature checks are part of the Android runtime, nothing to do with the underlying OS.
There are plenty of embedded Linux systems that are totally insecure -- my webcam, for example, came by default with a telnet port that took you to a root shell -- but that's nothing to do with Linux.
Re: (Score:2)