Slashdot Mirror
Old Apache Code At Root of Android FakeID Mess
chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
Phew, good thing Android is open source and these vulnerabilities will be patched right away be all those "for profit" companies, who wouldn't want their users to get angry!
Giggity
The patch already exists, now it's up to our cell carriers to distribute it.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Actually the patch is already distributed without any manufacturer intervention required. http://www.osnews.com/story/27...
This is why I have a big problem with Android. The carriers have nothing to do with manufacturing or maintaining the phone. Why should they have anything to do with the update process. Updates should come straight from the manufacturer, and carriers should not have their own custom firmware. Or even better, all updates should come straight from Google. The only customizations at the manufacturer level should be applications which can be reinstalled (or uninstalled) at the customer's discretion. Apple does it, Windows phone does it. Why can't Android do the same thing.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
JESUS FUCKING CHRIST, I know this is Slashdot, but were you totally unable to read even the second sentence of the summary?
Why are we blaming yet another coding mistake on Native Americans?
Native Americans are just as good as anyone at programming. I'd even say the Apache tribe has some top notch C++ people. Yes, the computers don't last long in the sweat lodges, but that's the price you pay for that "Made by real Americans" label.
10% of the Google Play store wouldn't be malware.
It's not. That claim was typical hyperbole by an AV vendor desperately trying to find a market to sell their snake oil in now that Windows is in decline. The report they used even showed the Google Play Movies application as malware... They've since backed off the claim, but of course the mud (as intended) still sticks.
http://www.techrepublic.com/ar...
I don't know the fine details of this bug, but am I the only one appalled at how obvious this bug sounds? It doesn't even properly check the certificate? I mean buffer overflows and such are one thing, but not properly testing your certificate code seems unforgivable.
If you have any of Google's apps installed, you'll also have Play Services installed - and this has already been updated to detect attempts to use the specific vulnerable certificates involved. If you only get your apps from the Play Store, you're fine, as they've already all been scanned (and no exploit attempts detected). Even if you sideload, so long as you left the Verify Apps checkbox on (default setting), then Play Services will scan any sideloaded apps too (no exploit attempts have been detected that way either).
While the vulnerability is a serious one, it's not something that will concern the vast majority of Google's Android users. It's probably a lot more significant for companies like Amazon, who will have to develop their own response, and (inevitably) for all those millions of Chinese users of generic non-Google Android derivatives.
Why would anyone engrave "Elbereth"?
I see it as good news that security software is getting more attention. There was a lot of bug backlog that's finally getting fixed. Each bug a bug is fixed we slowly and steadily eliminate attack vectors. Heartbleed is undoubtedly one of the drivers of this renewed attention, as are the revelations that nation states are actively working to exploit weaknesses. Patching bugs is one of the ways ordinary people can work against mass surveillance.
> Despite the fact that, as in Heartbleed, hyped to the max, very few actual bad things seem to happen.
Not all exploits get noticed. If your old laptop was keylogged, and a year after you got a new laptop you discovered that you were a victim of some sort of identity theft--- would you ever trace it back to the keylogger? If your $device was part of a botnet used for some sort of click fraud, would you notice?
Not just that.. its already reasonably moot.
http://www.osnews.com/story/27868/Another_day_another_sensationalist_unfounded_security_story
"First, a patch been sent to OEMs and AOSP, but with Android's abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed"
Google reacted to this disclosure rapidly and well.
Of course such a vulnerability would probably never be FOUND in iOS or WinPhone, since they are closed source, and almost certainly never disclosed if it was.
Just update your play store, and you are safe unless you are sideloading (never a great idea)
If you are sideloading then if you leave verify apps on, its also no problem.
Google are also scanning all apps on Google Play to check no one has been trying this.
Yawn, another google/Android beatup trying to wag the dog. Not hard to guess where the spin is originating.
Find a popular ROM at XDA derived from whatever version you want to stick with and flash it (with a compatible kernel) to your phone.
Until you have a few months of reflashing experience, DO NOT attempt to flash any ROM that requires repartitioning the flash, and don't ask the recovery manager to wipe /system unless you really know what can happen & have a plan for dealing with it. This goes DOUBLE for anybody with a Samsung Galaxy S3.
Long story short: the eMMC is kind of like a SSD controller, and there are MAJOR known bugs (and plenty of poorly-understood ones, too) in the firmware. Basically, it's as if you tried to use Linux to create a new filesystem, but a bug caused it to just make all the old directories owned by some undefined user with impossible permissions instead... and do it in a way that made the drive initially LOOK reformatted, but spontaneously resurrect those corrupted files as more and more writes occurred.
Now for the bad news (if you have a Galaxy S3) -- the eMMC firmware installed with stock roms older than 4.3 is dangerously buggy with AOSP-derived ROMs, and getting rid of enough of those bugs to semi-safely do wholesale repartitioning almost requires installing a stock-derived (but hacked so it doesn't enforce Knox) ROM first to get the eMMC firmware updated. More confusingly, the eMMC firmware is part of the radio modem firmware, even though it doesn't really have anything to do with the radio modem itself. So, if you're running a 4.1 stock ROM and want to install a 4.1 AOSP-derived ROM, tread VERY carefully, and pay special attention to any warnings at XDA that involve the word "eMMC".
I only said 10%,
Then where does the 10% claim come from?
Oh right - it was made up by AV vendors trying to scare peopple into buying their products.
Unless you’ve had your head under a rock you’ll have noticed the latter is fast becoming the weapon of choice for Google’s rivals in attempting to curtail the former. On paper it should. Android malware rose from 238 threats in 2012 to 804 new threats in 2013. What was the combined total of new threats for Apple iOS, BlackBerry OS and Microsoft Windows Phone in that time? Zero. The remaining 3% came from Nokia’s axed Symbian platform.
All of which poses a very valid question: how do you stay safe on Android? Perhaps surprisingly the answer is: easily. Why? Because here’s the part Google’s rivals don’t want you to know: the figures are misleading.
Let’s be clear. From a statistical viewpoint researcher and security specialist F-Secure got them right. Android does account for 97% of all mobile malware, but it comes from small, unregulated third party app stores predominantly in the Middle East and Asia. By contrast the percentage of apps carrying malware on Google’s official Play Store was found to be just 0.1%
http://www.forbes.com/sites/go...
So that one's busted. Anything else you'd like to sell?
cell carriers? I have a google nexus (one) and it was abandoned BY GOOGLE, not the carriers, 2 years ago. no security fixes, no nothing. stuck at 2.2.something.
google fucked us over by saying that nexus phones are upgradable and supported. they are not - not by any reasonable definition of 'supported'. I can have linux kernel, ip-stack (etc) updates (at least for security) for 10+ yr old linux pc's. but a few yr old phone - NO WAY. google has the attention span of a 5 yr old.
should I have to throw away a $300 paid for phone that still works, electrically (at least)? this is why I hate android and hate google even more. they use the word 'linux' a lot but they bastardize it and abandon it and tell you 'go re-buy your phone'. sorry, that's not acceptable. not on a device that is less than 5 yrs old and still in perfect working condition. the only issue is the poor software and that will NEVER be fixed, it seems.
I hate google. totally fucking hate their whole development model for phones. (and that leaves me no choice since I also hate apple and their whole scheme of lock-in).
wish there was another choice. the whole mobile data thing really unnerves me with how bad the scene really is.
I guess I can't (or wont) install any apps since the certs can't be trusted (or the code that checks them) and so whatever apps I have now, that's what I have and won't ever have any more on this phone.
(and I fully expect the google fanboys to mod me down. they always do when I yell about their most holy and blessed google.)
--
"It is now safe to switch off your computer."
The Nexus One was abandoned because Google said the hardware was too old. And they have a point - you have to jump through some major hoops to get a modern ROM onto it.
The N1 has 512 MB internal flash, and the way it was partitioned meant Android 4.0 was larger than the N1's system partition. Its partitioning scheme dates from the days when apps couldn't be moved to the SD card, so the system partition is only barely big enough to hold Android 2.3 to allow the maximum possible space for apps. Sure, you can plug it into a PC, repartition and format, load a new system image onto the phone from the PC, use a hack so all apps get silently redirected to an SD card, etc... but there was no way to do an OTA update.
In short: the Nexus One has a critical hardware issue in that it only barely has enough internal space to store its own OS.
Couldn't this be patched as part of an update to the Google Services Framework?
It is and has been.
There is close to zero chance that anyone will be affected by this "Android mess". It's a beat up.
Only 804 new threats a year? That shows remarkable constraint. I remember a few years ago they were claiming around 50,000 new viruses per day for Windows. Presumably they were counting every slight morphing of a given virus as a new, unique strain.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I'm pretty certain Google has systems in place (as well as an after the fact kill function) to eradicate malicious apps that find their way onto the app store. Doubtless there are some there but they're background noise.
At the end of the day, android gives users the freedom to choose where they get apps from. But freedom implies the freedom to do stupid things. It won't stop a user installing warez if they want, but if they get owned it's their own damned fault. Not much different from what happens on a PC or Mac really.
That said I don't think Android does enough to protect users from malicious or rogue apps, e.g. allowing the device to deny a permission to the app even if it claims to need it. Cyanogenmod demonstrates it can be added, but Google haven't seen fit to provide that functionality in the stock android code.
The report they used even showed the Google Play Movies application as malware
To be fair, that app is capable of downloading Uwe Boll films so you can make a case for it being a bit malwareish.
Well, there *is* an unofficial CM11 port. It sounds like the limited memory and storage was a bit of a deal-breaker for everyone trying to support the Nexus One (even the alternate ROMs) until KitKat came along with its reduced resource needs. I suspect installing the Google Play Services stuff to get the app scanning might be asking a bit much.
But yeah, generally speaking I don't disagree with your premise. The Nexus series, of all devices, would be something I'd expect Google to go above and beyond to keep working. I can sorta understand OEM's dropping their flagships pretty much as soon as the conveyors on the production lines stop spinning (and fuck-you-very-much HTC), but I'd hope that platform champion number one could do a little better than that.
Log in or piss off.