How You Can Prevent Android Vulnerabilities in 2020
End of May, the news came out that a leading security expert has a major leak found in Android, making it possible to masquerade as another update for Android Application software.
Today, there are more details about the leak came out and we explain what exactly is going on and how you can avoid being a victim of abuse of the leak.
Install Android files that are used for applications. These files are called APK (Android application package) and contain everything an application needs: graphics, code and layouts. In order to ensure that it can not be tampered with these files, these files are digitally signed. Developers use this digital signature.
When digital signatures are also viewed specifics of the application. In this type of applications, it is customary to look at the size of the file and signature for the making of one type of digital fingerprint of the content. If the signature is viewed, it is only valid if the other features of the app are correct.
When updating an application, whether it’s an app you’ve installed an app by the Play Store that you download somewhere else, or an app that was already on your phone when you bought it, the system checked the digital signature. The signature of the update should be the same as that of the installed app.
Jeff Forristal, CTO at Bluebox Security, said he had discovered in Android that allows you to adjust the system without taking notice that things have changed. The system then checks the content, the digital fingerprint and digital signature, but does not mean that changes have been made. The digital signature is therefore the same as that of the original app and digital fingerprint seems to be wrong, even though there is tampered with the installation.
Applications that have a digital signature of the manufacturer of a device or Google, they have access to more rights than applications from other parties. When a malicious application would adapt and update, this person would be able to do almost everything on the device and have access to all information. When abuse is made of this vulnerability, it may have so far-reaching consequences.
On the weblog of Bluebox Security Forristal, evidence indicates that the leak actually exists and can be abused. He does this in the form of the screenshot that you can find below. There you can see a screenshot of an HTC device which he has adapted a system value. Incidentally, this is little convincing evidence: these settings can be adjusted on devices with root access. It can also be a screenshot always adjusted. However, the leak is seems almost certain: Forristal has a good reputation in the security world.
In late July Forristal will hold a presentation at a security conference and will release technical details and then released tools and examples related to the leak.
Google has been informed of the error in February this year. This is a normal practice for security researchers and he was even the first that a policy has drawn up indicating the need, vulnerabilities revealed but that these must be the owner of the software where to find the leak.
Does this mean that devices recently provided an update to a new Android version have not been more vulnerable? No, unfortunately not. Forristal indicates in an interview with CIO that only the Samsung Galaxy S4 is not vulnerable to custom installation files.
That indicates that Google has its partners all the information given to seal the leak. Nexus devices would still be vulnerable, but presumably this is resolved with the next update.
Google has also announced Forristal control installation files in the Google Play Store to have passed. Files modified by the method of Bluebox have been detected by Google and not allowed in the Google Play Store. In addition, all the available apps in the Google Play Store are scanned by Google and there would be no apps found to abuse the leak.
Although Google has no explanation brought out regarding the leak, it is clear that the company takes seriously security risk. One of the measures that could be related to the vulnerability is the banning of updates to Play Store apps outside to Play Store.
Since Facebook used this strategy to test new features, there was talk of an attempt by Google to Facebook a heel turn, but updating apps outside the Play Store to bring indeed security risks with it. Google can no longer scan apps for malicious software. What’s more, at that, an update outside the Play Store to install must be the function.
Normally install software from unknown sources is enabled, most users do not do this, but if a company like Facebook, whose application is installed millions of times, it recommends, will fix many people. Facebook is now testing other new features in a different way, as you here can read.
The Galaxy S4 is not vulnerable to this issue, but all other devices are still vulnerable according Forristal. This applies to all other devices running on Android 1.6 and higher, about 99% of the Android devices. The problem is that it often takes a long time before manufacturers (security) release updates for their devices, making it possible that devices contain long security holes.
To prevent abuse of this kind seems to have holes. This application, which is installed on Android devices with Android 2.2 or higher, Google automatically provides developers with opportunities to offer new features for Android in their apps without the user before an Android device must have the latest Android version.
This package appears still more to offer: the service can monitor applications before they are installed. That indicates that Google even for devices that have not had a security update that the leak has a solution. Currently Android devices running at less 2% of active on a version lower than Android 2.2, which (if checking installation files indeed acquired by Google Play Services) the number of potential targets is less. Here you can read more about Google Play Services.
It’s annoying that Google has brought out no explanation that the company has taken measures, so we can not say that security updates to be controlled by the Play Store Google Play Services downloaded outside of the store.
What can you do?
First, it is important to note that the ability to exploit this leak is very small. To exploit the vulnerability, abuse should be a (by a malicious adapted) installation to put on your device and it should be installed as a user.
Only when it is a disguised update file from an existing system application, so an app from Samsung, HTC, Sony, LG or Google, it can leak the system. Updates for other apps outside the Play Store to be able to abuse the leak, but it is limited, but no less dangerous opportunities to abuse.
What can you do yourself to prevent you from being a victim of the abuse of this vulnerability? Well, updates that are distributed through the Google Play Store are safe for this leak. That is, there were those with updates to apps on your phone when you got it or you have installed later, through the Google Play Store is not tampered with.
When the leak can be dangerous? When you have the idea that you update to a system application, it may be that here is tampered. Let’s take an example. Suppose there is an update available for Gmail.
Since Google uses the rollout phases for updates, it may be that the Google Play Store do not indicate to you that there is an update. If you just go searching the net, you will almost certainly find a setup for this new version of Gmail for Android.
This file then install on your device. By the leak can not see the system properly or there is not tampered with the installation, so it may be that you unwittingly install malware.
Applications installed from other sources, such as third-party application stores and websites with pirated versions of paid Android apps and games, there are many known malwares. Actually story now does not really change.
However, it is now possible for apps that are offered as an update to an existing app also contain malware and that malware can use significant system privileges. Loose apps or games can always contain malware from these sources and fetching Android Apps from illegal sources.
In fact, unless you have a very good reason, we recommend turning off the option: Allow install apps from unknown sources (in Settings -> Security).
The possibilities for abuse, how serious the leak itself is, the vulnerability is very limited. That does not mean that you do not run any other way. For example, when you install applications that come from untrusted sources or developers, you run the risk that they are infected with malware.
Applications that are automatically scanned for known malware and are therefore relatively safe and apps that are distributed via the Amazon Appstore are manually controlled and distributed through the bGoogle Play Store are therefore safer than average.
Please be aware that applications are not guaranteed to be 100% safe, so even if they are offered using the Google Play Store Pay. See if it is a well-known developer and also the appreciation that others give to the app and the number of times an app is downloaded, it can be a good indicator of whether the developer can be trusted.
In addition, it is wise to exercise extreme caution what permissions are required by an application.