Featured Mobileburn Video

Report: Imposter app bug found in Android

Editorial by Luke Jones on Wednesday July 30, 2014.

editorials · google news · android news · software news · luke jones

Sponsored links, if any, appear in green.

Android app hack
Android app hack

BlueBox Security released findings today that show a dangerous flaw in Android that allows hackers to get onto your device by posing as a legitimate app. This news once again throws into question the security on Google's Android platform, but what does it mean for you?

When Android VP Sundar Pichai stood up for the platforms security in the face of criticism from Apple CEO Tim Cook, some saw it as a stringent defense of his product. However, while Pichai was defending Google's overall part in Android's security, I saw his statement as a damning confession that Android is open to flaws. This is what Pichai said at the time:

"It must be liberating [for Apple] to wake up and think about your device, your software, and hey, ?I can even call the chipset guys and say what the chip should be,?? he says. "I have to think about building a platform and bringing as many people along on this journey and getting it right. I believe that ultimately it?s a more powerful approach, but it?s a lot more stressful as well.

You have to be careful when you make a $100,000 Mercedes car not to look at rest of automotive industry and make comments on it... We serve the entire breadth of the market, globally across all form factors, et cetera. Android from the ground up is designed to be very, very secure... History shows typically that malware is also targeted at the more popular operating system. So you know there is that."

In the interest of not making this an Apple vs. Android debate, what Pichai says about Cupertino's model is correct, but it is actually a compliment of sorts. However, Apple does only have to take care of itself and the rest falls into place. As Sundar says, Google builds the most secure platform possible and then rolls it out to third parties, who in turn do what they want with it. Basically he is saying there are security issues but they are not Google's fault. Comforting for Pichai maybe, but not for us.

5 million infected devices tells us that Android can sometimes be like the Wild West of the mobile world, and this latest issue is adding to the worry. Imposter apps that can access your device and personal files sounds like an unsolvable problem as the bug means hackers can attack the verification of the app making process.

The Android installer makes the publisher sign a digital verification certificate which acts as an identifying signature within the app code. The problem occurs because Android doesn?t check with the publisher to see if it is actually a legitimate version of the app, meaning an imposter app could mimic the legitimate one and find its way onto devices. BlueBox put it thusly:

"We basically discovered a way to create fake ID cards. There are different vectors. They all come down to: I can create a fake ID card. The question is, which fake ID card do I create?"

This is where Pichai's words start to ring true. BlueBox informed Google about the issue in April and the company immediately implemented a fix through the Android Security team. The fix was then sent to manufacturers, who were given 90 days to make the necessary changes. However, BlueBox tested 40 major Android partners and found that only one has implemented the fix, and the 90 day period has all but expired.

Google says it scans all apps on the Google Play Store and while this bug is still very much active that there are no mimicked apps currently on the store. However, with BlueBox releasing its findings the bug is now very much in the public domain, so we hope Google will get tougher with manufacturers and make them implement the fix.

source: Bloomberg

blog comments powered by Disqus

About the author

Luke Jones
Luke Jones is the Managing Editor at MobileBurn.com and is the person you need to speak to about the content on the site. Luke studied creative writing at degree level before carving out a reputation as a freelance tech writer. He settled here at MobileBurn, where he reviews devices and contributes to the news, as well as overseeing the site's content and direction.

Related Stories