The Bluebox Security research team has unearthed another critical Android vulnerability. Named “Fake ID,” the security bug can be used by malicious applications to impersonate specially recognized trusted apps – and get all the privileges they have – without the user being none the wiser.
The bug is present in all Android versions since 2.1 (“Eclair”), excluding the latest Android 4.4 (“KitKat”). Devices on which Google bug 13678484 has been patched (the patch has been issued earlier this year) are not vulnerable. All HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices that have 3LM device administration extensions are also at risk.
In order to understand the vulnerability, one must first understand the Android security model. Applications are signed with digital certificates, and this signature defines who can update the app, what applications can share its data, and so on.
But some signatures are given special privileges.
“For example, an application bearing the signature (i.e. the digital certificate identity) of Adobe Systems is allowed to act as a webview plugin of all other applications, presumably to support the Adobe Flash plugin. In another example, the application with the signature specified by the device’s nfc_access.xml file (usually the signature of the Google Wallet application) is allowed to access the NFC SE hardware. Both of these special signature privileges are hard coded into the Android base code (AOSP),” says Bluebox Security CTO Jeff Forristal.
“On specific devices, applications with the signature of the device manufacture, or trusted third parties, are allowed to access the vendor-specific device administration (MDM) extensions that allow for silent management, configuration, and control of the device.”
“Android applications use the same certificate signature concepts as SSL, including full support for certificates that are issued by other issuing parties (commonly referred to as a ‘certificate chain’),” he explains.
Unfortunately, the Fake ID vulnerability effectively breaks this system, as the Android package installer doesn’t verify the authenticity of a certificate chain. This allows an attacker to impersonate apps that are allowed to bypass Android sandboxing (such as Adobe Flash, Google Wallet, etc.)
Forristal is set to present technical details of the bug and demonstrate exploits for it next week at the Black Hat conference, when the company will also publish a free security scanning tool for users to check whether their devices are vulnerable.