A Google Android vulnerability that allows hackers to impersonate trusted apps has left potentially millions of smartphone and tablet owners' sensitive information at risk and renewed interest in mitigating bring your own device (BYOD) risks.
The flaw -- dubbed Fake ID by Bluebox Labs, who discovered it -- dates back to January 2010 and was introduced to the platform by code from the now defunct Apache Harmony module. It affects Android versions 2.1 to 4.3; Google fixed the vulnerability in April's KitKat release. However, according to Google's reports, approximately 82% of Android devices still operate on vulnerable platforms.
The Android vulnerability occurs when a malicious app uses a trusted app's ID -- its digital signature. In the Bluebox blog, CTO Jeff Forristal used Adobe Systems for an example: Adobe has its own digital signature, and all programs from Adobe use an ID based on that signature. Because Android grants Adobe special privileges, any app or program using an Adobe ID bypasses security checks and is inherently trusted.
An app impersonating Adobe by using its ID can potentially infiltrate and wreak havoc on a device -- and the OS and user wouldn't know the difference. Forristal also noted two other possible risk scenarios, including an app impersonating Google Wallet's signature to access a device's Near Field Communication chip to collect financial, payment and other confidential user data, and an app using 3LM software's ID -- a now defunct skin manufacturer -- to take control of a device and implant malware on it.
The issue is not confined to a single company, app or signature, and in many cases, even device management software can be fooled if it is not up to date.
The flaw was reported to Google by Bluebox in March of this year, and Google promptly released and distributed a patch in April to manufacturers, Android partners and the Android Open Source Project, with manufacturers having 90 days to implement it. Google also claims the security of Google Play and Verify Apps has been updated to detect the issue. "At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability," Google noted in a statement.
Protecting users and BYOD employees from the Fake ID vulnerability requires smart decision-making when it comes to downloading apps. Only download approved apps from the Google Play Store and never enable apps from untrusted sources. Up-to-date antimalware software should also detect the flaw.
To mitigate enterprise BYOD risks, security departments should use application whitelisting to approve trusted applications; train employees how to avoid phishing scams; use software enabled with app analysis; and – for the utmost security – build an enterprise app store with corporate-sanctioned apps for employees to download.
Bluebox has also released the Bluebox Security Scanner, which will detect Fake ID vulnerabilities.
In other news
- Officials from the Tor Project reported that an attack on the anonymous network could have potentially affected and uncloaked users over a five-month period, from February 2014 to July 4, 2014.According to Tor's official release, "It's still unclear what 'affected' means." The network believes a combination of traffic confirmation and Sybil attacks was used, and is urging its users to upgrade to Tor release 0.2.4.23 or 0.2.5.6-alpha.
- Canadian officials announced "a highly sophisticated Chinese state-sponsored actor" hacked into Canada's National Research Council (NCR) network, putting scientific and trade secrets -- as well as employee and client data -- at risk. Chinese embassy spokesperson Yang Yundong stated that "the Chinese government has always [been] firmly opposed to and combated cyberattacks in accordance with the law. In fact, China is a major victim of cyberattacks." In a statement regarding the breach, NRC said it is in the process of creating a new, more secure IT infrastructure, which could take up to one year to complete.
- In an HP report released this week, investigators found 250 flaws in 10 various Internet of Things (IoT) devices, from TVs and webcams to home thermostats and door locks. Vulnerabilities included the Heartbleed bug, cross-site scripting exploits, weak credentials, privacy concerns, lack of encryption and more. The report concluded with a number of recommendations for securing IoT, including conducting security reviews, implementing strong security standards and more.
Uncover a number of Android security settings and controls to improve Android enterprise security
Learn how to deliver apps securely to mobile users with an enterprise app store
Get advice on securing Android devices with a mobile device security policy