A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security.
The vulnerability was disclosed on Tuesday. It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was introduced to Android by way of the open source Apache Harmony module. It affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications, according to Jeff Forristal, Bluebox’s CTO. He will be presenting details about the FakeID vulnerability at the Black Hat Briefings security conference in Las Vegas next week.
Application signatures are the basis of the Android application trust model, linking specific applications with a reputable certificate authority and implicitly trusting and, which tie back to specific certificate authorities and determining what permissions an application has on the device and what local resources it can access.
As with web sites, mobile application signatures on Android are secured using a Public Key Infrastructure (PKI) with certificate authorities (for example: Verisign) issue digitally signed certificates. Downstream consumers like web browsers or mobile devices can verify the signature is legitimate using a cryptographic proof. Once a certificate is determined to be valid, it is trusted by default. Similarly, certificates issued by other parties that are vouched for by the same certificate authority are also trusted – in what’s known as a “certificate chain.”
But according to Forristal, head of the company’s security research group, the package installer component of older versions of Android do not attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes “an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim.”
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual ‘sandbox’ environments that keep malicious programs from accessing sensitive data and other applications running on the Android device.
In a conversation with The Security Ledger, Forristal, who heads Bluebox Labs, said that there are many possible ways the vulnerability could be used by malicious actors. In the case of Adobe applications, all devices prior to Android 4.4 (“KitKat”) are vulnerable to an Adobe System webview plugin privilege escalation in which vulnerable versions of Android will allow a malicious application to act as a webview plugin for all other applications. That could enable an attacker to inject Trojan horse code (in the form of a webview plugin) into other mobile applications on the vulnerable device. In other cases, a FAKE ID-signed malicious application could bypass the OS level firewall features or get access to wireless components like NFC (Near Field Communications) hardware to spread on a network or send data off site, Bluebox said.
The culprit in the FAKE ID is code that was originally part of Apache Harmony, a now-discontinued effort to offer an open source alternative to Oracle’s Java technology. Google turned to Harmony as an alternative means of supporting Java on its operating system after failing to strike a deal with Oracle to license Java directly. Work on Harmony was discontinued in November, 2011.
However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
Forristal is a well-known expert on the security of Android. He discovered a similar vulnerability that affected more than 900 million Android devices last year which he dubbed “Master Key.”
He said FakeID was more serious than Master Key because it could be used by attackers to silently compromise vulnerable Android device. Other mobile security holes still require phone owners to approve the installation of the application and OK what Forristal called “crazy permissions” before any malicious actions can be taken.
Not so FakeID. “It’s completely silent and stealthy,” he said. “This is the stuff malware is made of and there’s a big potential to affect the Android ecosystem.” Forristal said Bluebox approached Google in April regarding its findings, and the company produced a patch.
In an email statement to The Security Ledger, a Google spokesman acknowledged working with Bluebox to fix the vulnerability. “After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP,” he wrote. “Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability.”
Forristal said the fix is now in the hands of handset makers, which are working on firmware updates. However, the fragmented Android ecosystem means that many Android device owners may never receive a patch for their device.
The security of open source software has received more attention in the wake of the Heartbleed vulnerability – a serious and widespread flaw in a commonly used open source package called OpenSSL.
Joshua Corman, the CTO at the security firm Sonatype, said that his company is tracking vulnerabilities in open source modules like Harmony and said they are becoming more prevalent, and more serious. While Heartbleed received notoriety and a prompt response from the security community, many similarly severe holes are likely to exist in lesser known open source modules – some of them discontinued.
“This is not an anomaly,” Corman said, referring to FakeID. “Heartbleed had a logo and got lots of attention, but there are other vulnerabilities that we don’t talk about where the attack surface was just as large and that caused just as much damage. “