99% of Android Devices Vulnerable to App Modification

Bluebox (named after the early phone phreaking device) disclosed the vulnerability to Google in February. So far it seems that only the Galaxy S4 has been patched.

The vulnerability is a code signing flaw. Developer's 'sign' their apps with a cryptographic signature. That way, only the app developer is able to update or modify an existing app, because only the developer has the signature. Bluebox has discovered a way to subvert this. "This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been," blogged Bluebox CTO Jeff Forristal on Wednesday.

The danger is that a user could install a 'good' application with known and accepted permissions, and then later be persuaded to accept an update that includes malicious additions by a hacker. Android would simply accept the updates on the basis that the cryptographic signature appears to be correct.

So far Google has not issued a patch; and the fractured nature of the Android market makes it likely that some devices will never be fixed. For most users the only defense is avoidance. Back in April, Google added a new condition to its Google Play Developer Program Policies. It states, “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism.”

It seems likely that this condition was added at least partially in response to the vulnerability found by Bluebox. Despite Android's open market, it means that any app first downloaded from the Play app store can only be updated via the Play app store. 

"The Google Play store has been 'patched' so that no tampered apps can be uploaded to Google’s servers," explains Android Central. "That means any app you download from Google Play is clean — at least where this particular exploit is concerned. But places like Amazon, Slide Me, and of course all those cracked APK forums out there are wide open and every application could have bad JuJu inside it."

So the immediate solution to a very serious Android issue for most Android users is actually rather simple: never sideload. Sideloading is the installation of an app via any route other than the official app store. If Android users restrict themselves to apps from the Play store, they should be safe.

What’s hot on Infosecurity Magazine?