Today, security research firm BlueBox has announced the discovery of a bug in the way Android handles the identity certificates used to sign applications. (It would appear that this is a common theme, similar to the issue found in Safari not long ago) The vulnerability, which BlueBox has dubbed “Fake ID,” allows malicious apps to associate themselves with certificates from legitimate apps, thus gaining access to stuff they shouldn’t have access to. How? Android’s installer apparently doesn’t do the best job verifying things.
According to BlueBox, the package installer apparently doesn’t properly verify the authenticity of digital certificate “chains,” allowing a malicious certificate to claim it’s been issued by a trusted party. That’s a problem because certain digital signatures provide apps privileged access to some device functions. With Android 2.2-4.3, for instance, apps bearing Adobe’s signature are given special access to webview content — a requirement for Adobe Flash support that if misused could cause problems. Similarly, spoofing the signature of an app that has privileged access to the hardware used for secure payments over NFC might let a malicious app intercept sensitive financial info.
On the bright side, Google has a card to play when dealing with security issues like this — Google Play Services. Just as Play Services adds new features and APIs without requiring a firmware update, it can also be used to plug security holes. Some time ago Google added a “verify apps” feature to Google Play Services as a way to scan any apps for malicious content before they’re installed. What’s more, it’s turned on by default. In Android 4.2 and up it lives under Settings > Security; on older versions you’ll find it under Google Settings > Verify apps. Chances are that these apps aren’t making it to Play and if you sideload and leave the verify function checked, you’re probably good. Until Google pushes a fix through GPlay, you better make due.