Recently discovered, an Android vulnerability called Fake ID allows apps to impersonate other apps by copying their identity. Each app has its own unique identity, as defined by the developers, after they create their public\/private key pair. This identity is a digital certificate used to cryptographically sign the app package (.apk file for Android) to be later verified by a tool or operating system for authenticity. Yet developers can copy an identity from another app, combine it with the new app\u2019s identity to make a chain of certificates, attach that chain to the new app, and essentially \u201cpose\u201d as the former app. Given the nature of the vulnerability, it is likely that only malicious developers would conduct such activities. In addition, depending on which certificate details are copied, there could be a risk of the malicious application gaining more privileged access to the system or other running applications due to the trusted nature of some certificates.<\/p>\n
At the heart of its security model, the Android operating system, like many other contemporary platforms, includes a component capable of verifying application packages via their signatures to ensure they match the app they are attached to. The Fake ID vulnerability fundamentally breaks this verification process and leaves the system unable to verify the authenticity of the certificate chain. This means that one application can claim to be issued by another application or identity. In theory the component should validate the certificate chain by checking the issuer signature of a child certificate against the public certificate of the issuer.<\/p>\n
Depending on the behavior of the application installed–or of the certificate copied–and whether that has any default level of trust on the Android platform, data could be leaked from the device or other malicious activities could take place. Given the lack of warnings in all but the latest version of Android, a user would be none the wiser if an exploit had taken place.<\/p>\n
Users of Android Versions 2.1, Eclair, through to 4.3, Jelly Bean, are vulnerable to this exploit, but the threat may depend on the hardware manufacturer or the applications on the system as to whether a malicious application could receive elevated privileges.<\/p>\n
Google patched this vulnerability in the latest Android, Version 4.4.4, in April and has released the patch to OEMs. All users should make sure they have this version of Android on their devices or should take the measures noted below to make sure they\u2019re not affected.<\/p>\n
Depending on the hardware manufacturer and the version of Android, a user may be vulnerable to one or more privileged-attack vectors. Given that this problem relates to chains of certificates, a hacker could choose to include many certificates to cover all options, and more, in their specifically crafted malware.<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Recently discovered, an Android vulnerability called Fake ID allows apps to impersonate other apps by copying their identity. Each app…<\/p>\n","protected":false},"author":695,"featured_media":131275,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1838,442],"tags":[37,214],"coauthors":[4136],"class_list":["post-37352","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile-security","category-mcafee-labs","tag-android","tag-mobile-security1"],"acf":[],"yoast_head":"\n