Yet another Android vulnerability: Keeping devices safe

No phone or desktop operating system will ever be 100% secure. But yet another Android flaw affecting a majority of its devices has been discovered, once again causing users to question its security. 

The researchers at BlueBox have discovered a vulnerability they dub “FakeID,” and it affects a majority of versions of the phone’s OS. The bug affects versions of Android from 2.1, released January of 2010, to Android 4.4, KitKat.

The flaw allows malicious people to pose as a trusted company. According to The Register:

The Fake ID problem is due to weakness in the way applications can be trusted by their certificate chain: a vendor like Adobe can digitally sign an app to prove, cryptographically, that it built the software and that it’s legit.

Bluebox discovered that a miscreant can create his or her own identity certificate, falsely claim it has been signed by Adobe as trustworthy, and then use that identity certificate to sign a malicious piece of software.

It’s in manufacturers’ hands

Unlike Apple’s iOS, the best Google can do in this situation is to let manufacturers know of the flaw and ask them to push out updates to devices – but it’s not a guarantee they will.

That puts users in a precarious spot, because Bluebox notes that this flaw could be used, for instance, to:

  • insert a Trojan into an app by impersonating Adobe Systems
  • gain access to NFC financial and payment data by impersonating Google Wallet, or
  • take full management control of a device.

And all this comes after another recently discovered cyrpto key flaw which was patched in Android 4.4 only.

Steps to take

As always, good mobile security rules the day. Be sure to: