The BBC is reporting that there’s a flaw in Android that could leave you open to having your device taken over or your credit card info swiped. It was discovered by a company called BlueBox Labs and here’s a description of the flaw:
BlueBox has dubbed the vulnerability Fake ID, because it exploits a problem with the way Android handles the digital IDs – known as certification signatures – used to verify that certain apps are what they appear to be.
The issue is that while Android checks an app has the right ID before granting it special privileges, it fails to double-check that the certification signature involved was properly issued and not forged.
Jeff Forristal, chief technology officer of BlueBox, likened the issue to a tradesman arriving at a building, presenting his ID to a security guard and being given special access to its infrastructure without a phone call being made to the tradesman’s employer to check he is really on its books.
“That missing link of confirmation is really where this problem stems,” he told the BBC.
“The fundamental problem is simply that Android doesn’t verify any claims regarding if one identity is related to another identity.”
Apps that make use of Adobe’s Flash plug-in can have malware added to their code
To make matters worse, he added, a single app can carry several fake identities at once, allowing it to carry out multiple attacks.
That’s not good. But what is worse is that while Google has fixed this, Android users will have to wait for the Samsungs and HTCs of the world to push updates down to them via their mobile phone operators. That could take months which means if you’re running Android 2.1 to Android 4.3, you are potentially open to attack. Thus the only way at present to protect yourself is to use an app from BlueBox to see if you’ve been affected by this.
Like this:
Like Loading...
Related
This entry was posted on July 29, 2014 at 11:25 am and is filed under Commentary with tags Android, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Unpatched Android Flaw Leaves Android Users Vulnerable
The BBC is reporting that there’s a flaw in Android that could leave you open to having your device taken over or your credit card info swiped. It was discovered by a company called BlueBox Labs and here’s a description of the flaw:
BlueBox has dubbed the vulnerability Fake ID, because it exploits a problem with the way Android handles the digital IDs – known as certification signatures – used to verify that certain apps are what they appear to be.
The issue is that while Android checks an app has the right ID before granting it special privileges, it fails to double-check that the certification signature involved was properly issued and not forged.
Jeff Forristal, chief technology officer of BlueBox, likened the issue to a tradesman arriving at a building, presenting his ID to a security guard and being given special access to its infrastructure without a phone call being made to the tradesman’s employer to check he is really on its books.
“That missing link of confirmation is really where this problem stems,” he told the BBC.
“The fundamental problem is simply that Android doesn’t verify any claims regarding if one identity is related to another identity.”
To make matters worse, he added, a single app can carry several fake identities at once, allowing it to carry out multiple attacks.
That’s not good. But what is worse is that while Google has fixed this, Android users will have to wait for the Samsungs and HTCs of the world to push updates down to them via their mobile phone operators. That could take months which means if you’re running Android 2.1 to Android 4.3, you are potentially open to attack. Thus the only way at present to protect yourself is to use an app from BlueBox to see if you’ve been affected by this.
Share this:
Like this:
Related
This entry was posted on July 29, 2014 at 11:25 am and is filed under Commentary with tags Android, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.