Slashdot Mirror
Old Apache Code At Root of Android FakeID Mess
chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
Phew, good thing Android is open source and these vulnerabilities will be patched right away be all those "for profit" companies, who wouldn't want their users to get angry!
Giggity
The patch already exists, now it's up to our cell carriers to distribute it.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Actually the patch is already distributed without any manufacturer intervention required. http://www.osnews.com/story/27...
Couldn't this be patched as part of an update to the Google Services Framework? From what I understand, Google controls the Google Services Framework and can push updates even to phones/devices that haven't been updated by their network provider.
This is why I have a big problem with Android. The carriers have nothing to do with manufacturing or maintaining the phone. Why should they have anything to do with the update process. Updates should come straight from the manufacturer, and carriers should not have their own custom firmware. Or even better, all updates should come straight from Google. The only customizations at the manufacturer level should be applications which can be reinstalled (or uninstalled) at the customer's discretion. Apple does it, Windows phone does it. Why can't Android do the same thing.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
JESUS FUCKING CHRIST, I know this is Slashdot, but were you totally unable to read even the second sentence of the summary?
Um if you read TFA it says Google is using code that was discontinued years ago. So one has to ask Google how they could be so stupid.
My karma is not a Chameleon.
And a lot of android is open source. And it's used by many parties.
There were fewer eyes back then...
There are craploads of devices discontinued by the manufacturers. Are they covered by the patch?
sigh. merely replying to undo accidental moderation. meant to moderate insightful not redundant. slashdot really needs a manual undo of moderation.
Why are we blaming yet another coding mistake on Native Americans?
Native Americans are just as good as anyone at programming. I'd even say the Apache tribe has some top notch C++ people. Yes, the computers don't last long in the sweat lodges, but that's the price you pay for that "Made by real Americans" label.
10% of the Google Play store wouldn't be malware.
It's not. That claim was typical hyperbole by an AV vendor desperately trying to find a market to sell their snake oil in now that Windows is in decline. The report they used even showed the Google Play Movies application as malware... They've since backed off the claim, but of course the mud (as intended) still sticks.
http://www.techrepublic.com/ar...
Kind of strange how all these reports of Open Source vulnerabilities are increasing recently. Despite the fact that, as in Heartbleed, hyped to the max, very few actual bad things seem to happen. Almost as if it were coordinated.
I don't know the fine details of this bug, but am I the only one appalled at how obvious this bug sounds? It doesn't even properly check the certificate? I mean buffer overflows and such are one thing, but not properly testing your certificate code seems unforgivable.
It's the Java runtime. It allows other programs written in Java to run. It is not Java itself.
I only said 10%, not 70% or any of the other high numbers in the July 2014 trend micro report.
If you have any of Google's apps installed, you'll also have Play Services installed - and this has already been updated to detect attempts to use the specific vulnerable certificates involved. If you only get your apps from the Play Store, you're fine, as they've already all been scanned (and no exploit attempts detected). Even if you sideload, so long as you left the Verify Apps checkbox on (default setting), then Play Services will scan any sideloaded apps too (no exploit attempts have been detected that way either).
While the vulnerability is a serious one, it's not something that will concern the vast majority of Google's Android users. It's probably a lot more significant for companies like Amazon, who will have to develop their own response, and (inevitably) for all those millions of Chinese users of generic non-Google Android derivatives.
Why would anyone engrave "Elbereth"?
Relying on Java for anything fundamental is going to bite you in the butt.
#DeleteChrome
Luckily, it's entirely because they have been "taking android back" that they've been able to issue a (closed-source) Play Services response to the threat so quickly, to all Google-using android phones regardless of carrier.
Why would anyone engrave "Elbereth"?
And a lot of android is open source. And it's used by many parties.
As soon as you put open source code into your product, it's part of your product, and the quality is your responsibility. If you are a small time developer, you can use "Google used it as well, and they didn't find the problem" as an excuse. If you are Google, that excuse doesn't work.
Not just that.. its already reasonably moot.
http://www.osnews.com/story/27868/Another_day_another_sensationalist_unfounded_security_story
"First, a patch been sent to OEMs and AOSP, but with Android's abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed"
Google reacted to this disclosure rapidly and well.
Of course such a vulnerability would probably never be FOUND in iOS or WinPhone, since they are closed source, and almost certainly never disclosed if it was.
Just update your play store, and you are safe unless you are sideloading (never a great idea)
If you are sideloading then if you leave verify apps on, its also no problem.
Google are also scanning all apps on Google Play to check no one has been trying this.
Yawn, another google/Android beatup trying to wag the dog. Not hard to guess where the spin is originating.
What did Apache expect when their code was written by Cowboys?
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Find a popular ROM at XDA derived from whatever version you want to stick with and flash it (with a compatible kernel) to your phone.
Until you have a few months of reflashing experience, DO NOT attempt to flash any ROM that requires repartitioning the flash, and don't ask the recovery manager to wipe /system unless you really know what can happen & have a plan for dealing with it. This goes DOUBLE for anybody with a Samsung Galaxy S3.
Long story short: the eMMC is kind of like a SSD controller, and there are MAJOR known bugs (and plenty of poorly-understood ones, too) in the firmware. Basically, it's as if you tried to use Linux to create a new filesystem, but a bug caused it to just make all the old directories owned by some undefined user with impossible permissions instead... and do it in a way that made the drive initially LOOK reformatted, but spontaneously resurrect those corrupted files as more and more writes occurred.
Now for the bad news (if you have a Galaxy S3) -- the eMMC firmware installed with stock roms older than 4.3 is dangerously buggy with AOSP-derived ROMs, and getting rid of enough of those bugs to semi-safely do wholesale repartitioning almost requires installing a stock-derived (but hacked so it doesn't enforce Knox) ROM first to get the eMMC firmware updated. More confusingly, the eMMC firmware is part of the radio modem firmware, even though it doesn't really have anything to do with the radio modem itself. So, if you're running a 4.1 stock ROM and want to install a 4.1 AOSP-derived ROM, tread VERY carefully, and pay special attention to any warnings at XDA that involve the word "eMMC".
I only said 10%,
Then where does the 10% claim come from?
Oh right - it was made up by AV vendors trying to scare peopple into buying their products.
Unless you’ve had your head under a rock you’ll have noticed the latter is fast becoming the weapon of choice for Google’s rivals in attempting to curtail the former. On paper it should. Android malware rose from 238 threats in 2012 to 804 new threats in 2013. What was the combined total of new threats for Apple iOS, BlackBerry OS and Microsoft Windows Phone in that time? Zero. The remaining 3% came from Nokia’s axed Symbian platform.
All of which poses a very valid question: how do you stay safe on Android? Perhaps surprisingly the answer is: easily. Why? Because here’s the part Google’s rivals don’t want you to know: the figures are misleading.
Let’s be clear. From a statistical viewpoint researcher and security specialist F-Secure got them right. Android does account for 97% of all mobile malware, but it comes from small, unregulated third party app stores predominantly in the Middle East and Asia. By contrast the percentage of apps carrying malware on Google’s official Play Store was found to be just 0.1%
http://www.forbes.com/sites/go...
So that one's busted. Anything else you'd like to sell?
cell carriers? I have a google nexus (one) and it was abandoned BY GOOGLE, not the carriers, 2 years ago. no security fixes, no nothing. stuck at 2.2.something.
google fucked us over by saying that nexus phones are upgradable and supported. they are not - not by any reasonable definition of 'supported'. I can have linux kernel, ip-stack (etc) updates (at least for security) for 10+ yr old linux pc's. but a few yr old phone - NO WAY. google has the attention span of a 5 yr old.
should I have to throw away a $300 paid for phone that still works, electrically (at least)? this is why I hate android and hate google even more. they use the word 'linux' a lot but they bastardize it and abandon it and tell you 'go re-buy your phone'. sorry, that's not acceptable. not on a device that is less than 5 yrs old and still in perfect working condition. the only issue is the poor software and that will NEVER be fixed, it seems.
I hate google. totally fucking hate their whole development model for phones. (and that leaves me no choice since I also hate apple and their whole scheme of lock-in).
wish there was another choice. the whole mobile data thing really unnerves me with how bad the scene really is.
I guess I can't (or wont) install any apps since the certs can't be trusted (or the code that checks them) and so whatever apps I have now, that's what I have and won't ever have any more on this phone.
(and I fully expect the google fanboys to mod me down. they always do when I yell about their most holy and blessed google.)
--
"It is now safe to switch off your computer."
Native as in "comes with the OS", not as in "compiled to machine code". It is confusing, but that is what I make of it.
Many parts of the Java runtime environment are written in Java.
Essentially, what Java sandboxing is designed to do is to completely separate different apps, so for example your text messaging app doesn't have access to your browser's password storage. On a regular OS, traditional applications have access to all of your files and all of your hardware, meaning one piece of malware can get everything on your computer. Sun hasn't done a great job of implementing the sandbox in their Windows Java plugin. Google may have done a better job on Android.
In Android, you specially allow each app to have access to different things. If a flashlight app requests permission to read your text messages, you don't install that flashlight, because a flashlight has no legitimate reason to be reading text messages.
This bug isn't directly related to sandboxing, but sandboxing does reduce the impact. This bug allowed the author of an app to lie about who they are, about who made the app. So Joe Hacker could have marked his app as being made by Microsoft. If you trust Microsoft, you might install the app thinking it was made by Microsoft, but it wasn't really. So you go to install Microsoft Flashlight and the system says "Microsoft Flashlight wants to read your text messages". You'd click the "fuck off" button because a flashlight app doesn't have any business reading your text messages - even a flashlight app made by Microsoft. So while the bug allowed them to lie about who made the app, you can still see what the app is trying to access and deny if if doesn't make sense.
You weren't abondoned, the core apps still receive updates. The N1 is fine on GB so long as youre using play and updating apps.
If you want a full OS build then look for an aftermarket ROM like Cyanogenmod. I use my Desire Z (cousin of the n1) with Cyanogen 10 and it is fantastic. Do a bit of homework and leave your flaming for reddit.
That's all good and fine but just realise that you are in fact the minority. 2 years is not an accepted life span for many devices, but for many phones it most definitely is. You can thank contracts that last that long and come with a "free" phone.
Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems.
It's a good thing most actors aren't good at programming.
Seriously, why do we feel we must constantly reel words, which were perfectly content in their familiar habitat, into the jargonic fold? "Actor"? Couldn't we have used one of dozens of words already used in everyday English: programmers, hackers, thieves, people? That last suggestion brings up another question: which of the two instances of the word "malicious" could safely be removed from the sentence? Both. After a long introduction about a security hole, we're so ready for a scenario about villainy that we would be positively thrown off otherwise. At least they said "could create" and not "could potentially create."
Someone could put a fake certificate from Adobe into their mobile app.
There.
The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
After the lawsuit from Oracle and now this, if I were the one who chose Java as Android's language, I would be kicking myself just about every day now.
The Nexus One was abandoned because Google said the hardware was too old. And they have a point - you have to jump through some major hoops to get a modern ROM onto it.
The N1 has 512 MB internal flash, and the way it was partitioned meant Android 4.0 was larger than the N1's system partition. Its partitioning scheme dates from the days when apps couldn't be moved to the SD card, so the system partition is only barely big enough to hold Android 2.3 to allow the maximum possible space for apps. Sure, you can plug it into a PC, repartition and format, load a new system image onto the phone from the PC, use a hack so all apps get silently redirected to an SD card, etc... but there was no way to do an OTA update.
In short: the Nexus One has a critical hardware issue in that it only barely has enough internal space to store its own OS.
Couldn't this be patched as part of an update to the Google Services Framework?
It is and has been.
There is close to zero chance that anyone will be affected by this "Android mess". It's a beat up.
Updated software won't fit on the device is a bullshit excuse for not putting updated software on the device?
This doesn't fix the underlying vulnerability; it merely scans for known ways to exploit it. I'm sure some clever people will find a way to thwart these scans and exploit the vulnerability, unless it gets fixed.
The only way this sort of thing can be taken care of is if Google or some governments in countries with a large market share will mandate vendors of phones or their manufacturers to provide security updates for devices for at least the duration of the contract, but preferably for the expected life of the device. Devices tend to keep working for three or four years, so that way Android users would get a similar security experience as iOS users.
I was promised a flying car. Where is my flying car?
I can thank contracts? this was bought outright and from google.
Irrelevant. The market place in general works on 2 year contracts. Just because you do something different doesn't magically mean a company should support you for it.
In my experience they acted perfectly fine. Compare say your Nexus which received 2 years worth of updates, to *any other Android phone* which never received any updates from the manufacturer.
As for the calibration, I wonder why you didn't return the phone under warranty? You had a problem? Well 200000 other people didn't. There was no major public outcry, and the phone was rated highly in its prime. So why did you sit there waiting for a software fix for a problem only a handful of people experienced?
There were fewer eyes back then...
So it was mpossble?
Only 804 new threats a year? That shows remarkable constraint. I remember a few years ago they were claiming around 50,000 new viruses per day for Windows. Presumably they were counting every slight morphing of a given virus as a new, unique strain.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
If security fixes take up significant amount of additional space, then something's being done wrong. Very very wrong.
Cell carriers don't have to distribute it. Google could use their Play service and patch devices regardless of what the carrier did. They could even scan devices for active use of the exploit.
Well, as we are sailing on the seas of offtopic already, I might ask what's you favorite Pringles flavor? I'll go with the classic Paprika myself.
I'm pretty certain Google has systems in place (as well as an after the fact kill function) to eradicate malicious apps that find their way onto the app store. Doubtless there are some there but they're background noise.
Not as seamless and my wife's iPhone, but close enough for me
And not as long either, Google only provides updates for 18 months. If you buy a phone on a 2 year contract (as many people do) and you get the new Nexus the day it is released, you still have 6 months in which you will not receive (security) updates.
Completely unacceptable.
At the end of the day, android gives users the freedom to choose where they get apps from. But freedom implies the freedom to do stupid things. It won't stop a user installing warez if they want, but if they get owned it's their own damned fault. Not much different from what happens on a PC or Mac really.
That said I don't think Android does enough to protect users from malicious or rogue apps, e.g. allowing the device to deny a permission to the app even if it claims to need it. Cyanogenmod demonstrates it can be added, but Google haven't seen fit to provide that functionality in the stock android code.
It's more like you install a 17 gig OS on a 17 gig disk, and then they release a free service pack that adds a ton of stuff. From Face Unlock to data usage limits to VPNs to support for new screen dimensions. And it needs more space for all the extra code. And then they offer security updates that assume you have the free service pack. They didn't release security fixes for Windows XP SP3 and also backport the fixes to SP2 and SP1.
I can only assume that you rarely talk to non-geeks. I upgrade my phone roughly every 3 years and most of my non-geek friends have significantly older phones than me. Many of them get new phones only when a geeky relative upgrades and hands down their old device, so the least technical users end up with the least secure devices...
I am TheRaven on Soylent News
The report they used even showed the Google Play Movies application as malware
To be fair, that app is capable of downloading Uwe Boll films so you can make a case for it being a bit malwareish.
> wish there was another choice. the whole mobile data thing really unnerves me with how bad the scene really is.
http://jolla.com/ ?
The last major security flaw in iOS was found in open source parts of iOS.
http://nakedsecurity.sophos.co...
And all phones released since 2009 received the patch. (iPhone 3Gs and up)
No not all of Android is open source and Google is close sourcing more and more of what is considered "Android" by most people.
Well, there *is* an unofficial CM11 port. It sounds like the limited memory and storage was a bit of a deal-breaker for everyone trying to support the Nexus One (even the alternate ROMs) until KitKat came along with its reduced resource needs. I suspect installing the Google Play Services stuff to get the app scanning might be asking a bit much.
But yeah, generally speaking I don't disagree with your premise. The Nexus series, of all devices, would be something I'd expect Google to go above and beyond to keep working. I can sorta understand OEM's dropping their flagships pretty much as soon as the conveyors on the production lines stop spinning (and fuck-you-very-much HTC), but I'd hope that platform champion number one could do a little better than that.
Log in or piss off.
Excellent advice! I'll just go tell my mom ....
Faster! Faster! Faster would be better!
because unlike iOS which requires an upgrade of the OS to get a new Appstore, even on devices running 2.3, the Google Play app and Google Play Services can be updated to the latest release without any manufacturer or carrier involvement.
Well no, the excuse will be that google don't want to backport fixes from their 4.2 branch back to their 2.2 branch. And I can't blame them, such backporting is usually alot of work and everybody hates doing it. Plus of course there would be no direct revenue from the engineering effort, other than a certain amount of 'goodwill' (which can apparently be put down on the balance sheet, but that seems a bit nuts to me).
So there's two problems, one - the new Apps/OS won't fix on your device and two - no-one wants to backport the fixes to the old Apps/OS.
Result: Useless device that is not fit for the purpose that it was originally sold for. Does the US have 'not fit for purpose' laws? Perhaps you can return it?
Quite the opposite. Most "Geeks" I know bail out of their contract to get a new phone. The only person I know who doesn't have a phone on a plan is my mother. In every other case you get the latest phone for effectively free. That's how the brain works when you go from paying $40/month, contract expires, keep paying $40/month and a new phone arrives.
Maybe your non-geek friends are on different relationships with their telecom companies than my .... err whole country.
Ah, you're in the USA? Here, most people have pre-pay plans (being locked into a contract is generally seen as negative, unless it comes with some really good deals) and so get the phone that they bought along with their SIM and then hang onto it until it breaks or someone gives them a new one. I don't think I know anyone who pays close to $40/month on a phone bill (a fifth to a tenth of that is common and it's hard for a contract that comes with a new phone to be that cheap). At that price, I'd probably do without a mobile.
I am TheRaven on Soylent News