UPDATE (3.45am PT): Google has reportedly tightened up security within its Play Store mechanisms, making this flaw less dangerous than it initially seemed. The story has been updated to reflect this.
You may have seen reports out there about a serious flaw affecting almost all Android handsets. But, assuming you’re packing one of said devices, how worried should you be?
If you’re in a hurry, here’s the short answer: not too worried, as long as you stick to apps from the Play Store. If you have time for the explanation, here it is.
Who announced this flaw?
That would be Bluebox Security, a new mobile security startup that’s supposedly in stealth mode.
This isn’t just a publicity stunt, is it?
Probably not. Bluebox’s CTO is a chap called Jeff Forristal, who’s been involved the security scene for a decade or so. And this does appear to be a serious vulnerability – it affects any Android phone released in the last 4 years, which is around 99 percent of them. That said, the post isn’t very explicit about Google having fixed its Play Store security.
So what does this vulnerability allow?
The flaw lies in the way Android app packages – APK files – are verified as secure. It allows the code of these files to be altered in secret. If the app in question comes from the device manufacturer or a trusted partner, it will probably come with privileged access to the device. This raises the possibility of “Trojan” apps that can gain full access to the Android system and to other apps.
This means such Trojans could steal information or take over aspects of the device, or even make the handset part of a wider botnet without the user knowing about it.
Sounds bad. What’s being done about it?
In line with good security research procedures, Bluebox quietly disclosed the flaw to Google back in February. It’s listed as Android security bug 8219321. So Google, which is not openly commenting on Bluebox’s public disclosure, has had at least 4 months to get the word out to Android device manufacturers, who are the ones that are now expected to release firmware updates to fix the vulnerability.
Bluebox will also release proofs-of-concept of its exploit, for each device vendor, at the upcoming Blackhat USA 2013 security conference. According to Computerworld, Samsung’s flagship Galaxy S4 has already been patched, so it is likely that manufacturers have quietly sprung into action.
What’s more, CIO reports that Google has patched its own Play Store so that it can recognize when app updates have been tampered with.
Yes and no. One of Android’s traditional problems is that many older devices don’t see updates anymore – the evolution of the operating system and the underlying hardware since the Froyo or Gingerbread versions, for example, has been so great that the manufacturers would rather you just buy a newer device.
This situation is changing – the evolution of phone processors is likely to hit a plateau after the leap to quad-core, and the next version of Android, Key Lime Pie, will reportedly cater for low-spec phones, so that older and cheaper devices are covered. However, it’s still down to the manufacturer to make sure the devices it sold 2 or 3 years back get patched, so there’s a good chance that many devices won’t see an update.
However, Google banned Play Store apps from updating outside the Play Store update mechanisms a couple of months after Bluebox told it about the vulnerability. If it has also fixed its Play Store security mechanisms, that should keep most users safe.
The only exception to this is those users who turn to third-party Android app marketplaces. There are many legitimate reasons to do so — for example, the Play Store is understocked in many countries, such as China, and some users may have a taste for apps that Google won’t allow into the Play Store, such as those with pornographic content. So that minority of users will find itself at the mercy of those third-party app store proprietors, and their device manufacturers.