99 Percent Of All Android Installations Are Vulnerable To Hacking - TopicsExpress


99 Percent Of All Android Installations Are Vulnerable To Hacking And Even Complete Takeover Of The Device This is the claim from Bluebox Security: that pretty much any Android device can be hacked and thus either be read or, even, be turned into part of a botnet: "The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years1 – or nearly 900 million devices2– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet." To take this out of the technical (and accurate) jargon and into something more understandable (but sadly, less accurate). If someone should wish to they can insert a trojan into code that has already been through the various tests that are done at the various app stores that you can get Android apps from. So, the original version of the app gets tested, that’s lovely, all ticketty boo and into the store it goes. But a malicious author can now change that code in that app. Which normally wouldn’t matter: because such a change would change the cryptographic signature of the app and thus the store would be alerted to the fact that it’s not what they’ve tested. The flaw that has been uncovered here is that it is possible to change the code without that signature changing. Thus the unscrupulous could get one version of the app tested but actually release another one: one containing a trojan for example. There’s a couple of saving graces about this finding it is true. The first being that there’s absolutely no evidence at all that anyone is actually doing this. The second is that Google GOOG +0.79% has been informed and we might presume are working on a fix for it. The third is that of course this is only going to be of any use to someone who is indeed an unscrupulous apps maker. Of which we know very well there are none at all (/sarcasm). But even if there are those unscrupulous ones who now find out about the vulnerability it still requires that we download an app which has been so altered. The big “name” apps obviously aren’t going to do this: there’s more to be made in selling the apps or the app’s services than there is in gaining a botnot. So to an extent we’re protected by the self-interest of apps makers themselves: anyone identified as making use of this flaw isn’t going to be able to sell any more apps in the future. It’s a bit like a food store poisoning its customers. A very short term expedient that will inevitably lead to bankruptcy. However, on the other side of it matters aren’t quite so rosy. Google themselves don’t control the updating of Android installations (unlike Apple with iOS), that’s the responsibility of the manufacturers. So waiting for a solution to this isn’t a matter of Google just fixing it: it needs then to go out to all of the myriad device makers, they must incorporate it and then we’ve all got to use the upgrade. And, famously, most of us with Android devices don’t upgrade the OS. So the vulnerability is likely to be out there in the wild for some time yet.
Posted on: Sat, 06 Jul 2013 07:04:40 +0000

Trending Topics

Recently Viewed Topics

© 2015