class=”centro”/> You heard
all has discovered a vulnerability in Android which affects 99% of devices that allow an attacker to replace certain APK s for failure cryptosystem and updates.
Before continuing, let’s pause for a bit. Try to explain to everyone without omitting details what is really going on . As always, we go first to the basics: explore Android apps, why they signed and how they are updated.
Who can update applications?
Any minimally familiar with Android know that applications are packaged into APK files : basically a ZIP file class=”caps”> with the executable (could say it is like a. EXE), information, resources and application images.
Android has all your phone applications APK files in the system. When updating an application, it’s simple: replace the APK old with the new . You can do more work, but this is the main thing.
Now, there is a potential problem: what if APK again is not the same developer? For example, what should I do Android if you create an update to Gmail and want to install replacing you already have? The obvious answer is that they should leave. Android only allows updates in which the APK class=”caps”> new has been created by the same that created the APK old. This uses a process called cryptographic signature .
What issigning an APK class=”caps”>
to pose that the cryptographic signature is as seal a paper . Only you have that label, and if someone writes something on paper will have to do above the seal (use your imagination), so that you know that has changed.
more technical process, but simplified, is as follows:
- obtain fingerprint class=”caps”> . This fingerprint or hash is like your fingerprint: it is unique to that APK and is not repeated (theoretically). If something changes, the hash changes too.
the signature verification :
- received digital signature and public key can decipher the Developer.
hash is unique for each APK we ensure that the package has not been modified since it was created by the developer . Moreover, if a message is encrypted with a private key can only be decrypted with the corresponding public key, and with the public key can not decrypt messages of any other private key. This way you make sure that s * nly has been developer who created the package *.
is, is posed as digital signature, it is impossible to forge a certificate (as always, in theory) you ensure that the developer was the one that created that application and that nobody else has changed.
The digital signature ensures that only the original developer can create updates to their apps.
when installing the update, Android checks two things: that signing the APK class=”caps”> is valid and that the private key is the same with the version that was signed above. If the package is signed with another key, the system will recognize it as a new application and will not replace the old.
This method ensures that only the original developer, and no one else can create updates for your applications.
Where is the vulnerability?
Once we know perfectly how to update an Android application, see where vulnerability found. Bluebox has not revealed all the details of the judgment, or how it works and how to exploit it. Just said where it is and what it is.
is a system failure of signature verification applications. Thanks to him, someone could modify a APK so that the digital signature would remain valid . For example, you could change the APK of Gmail and Android still think has not been modified since it was signed Google to create it.
Oncecan change without invalidating the signature packages, someone could inject malicious code into a APK known without the system to detect it. Basically, they can get you to install a malicious application disguised known and trusted application.
An example attack scenario: you send a link saying that has come a new update of Google Maps. Downloads the package (one APK of Google Maps signed by Google), you get the message asking if you want to update, accept and go. Android actually not detect that package has been modified and has a Trojan will allow an attacker to gain access to your phone.
Being an update
not need to ask permission: already gave them to install the original application. Perhaps nothing will happen if you install a malicious update of Angry Birds: the end of the day will not have many more permissions than the original application. But what if the update is for Gmail, for example? They would have access to all your emails, internet … Perfect for mounting a botnet or to steal your accounts.
There’s even a escenearioworse: an update of a system application that has all possible permissions. The attacker would have unrestricted access to your system when you think you’ve installed an update to improve some innocent mobile setting.
Howprotect?
This bug affects any Android application. The question is how to get the attacker can make the modified application.
The recommendation is not to install any application outside of Google Play.
you arrived
these malicious applications through an update of Google Play, attackers should have entered Google’s servers and sent an update manually. Not an easy task, so you can count on use the official Android Market , Google Play, safe .
The only way left is to install unofficial applications origins: downloading from other markets with fewer controls and security, or just by clicking on a web page to download the APK class=”caps”> .
In short: if you want to protect you from this vulnerability, Deactivate the option to install applications from unknown sources .
Google is difficult to correct
serious failure . Was reported to Google and other manufacturers in February, but only Samsung has been able to prepare a patch for S4. As affects nearly all phones from Android 1.6, and taking into account the pace of Android updates, a number of phones they will stay with him forever.
Many inexperienced users can fall into the trap of relying on these updates, as they may look completely legitimate and not be as strange as a pinball game that requests access to your SMS . could fall even more advanced users : to distribute links “new filtered version of Gmail for Android” would be worth to infect a number of phones people who knows the system.
failures like this, it is becoming more necessary pathway quick updates by Google and manufacturers. At least I do not seriously think that a large part of the Android phones are going to be a serious security failure because they can not upgrade to subsequent versions of the system.
No comments:
Post a Comment