“The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.”[Jeff Forristal]
(If you are interested, read more about the timeline and technical details at http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/)
Technical details aside, roughly 900 million Android devices are at material risk. When Jeff Forristal, Bluebox CTO wrote that this vulnerability permits a hostile party “to modify APK code,” he could have added …”to do anything code can do.” That means all data, all logs, all identities and other secrets that exist on a vulnerable Android device are at risk. It doesn’t stop there, because that hostile code can also use the network to exfiltrate the data, to download new functionality, to attack or explore the networks to which an infected device attaches. The coder’s creativity and time appear to be the only limits.
Google released a fix months ago, but there are numerous inhibitors to rapid deployment of Android updates — device manufacturer’s and carrier’s implementation and operating decisions being core to this problem. In any case, the vulnerability exists in Android 1.6 and later, and it seems reasonable to assume that it will be a relatively long time before a material subset of those 900 million Android devices has the relevant updates applied.
All of us supporting financial services information and infrastructure operations security know we have employees who believe it is their right to work using their personal mobile device (Android, iOS, or other OS, material vulnerabilities across all types of consumer mobile devices). They use any number of methods to migrate non-public business information to their mobile endpoint and/or their favorite cloud storage. Some of us have active or emerging BYOD programs being rolled out for any number of reasons — too often, BYOD fever. Many of those roll-outs enable concentrations of non-public business information on the unmanaged consumer endpoint. The risks associated with both those types of behaviors just increased.
If you are not already doing so, now is the time to invest serious energy into steering these BYOD projects into directions that are more likely to protect our customers, our investors, and the overall health of our corporations. In the presence of facts like this new Android vulnerability, “do your own thing” at the endpoint seems increasingly out-of-phase with the legal and regulatory environment in which financial services exists.
“Uncovering Android Master Key that Makes 99% of Devices Vulnerable.”
By Jeff Forristal, Bluebox CTO
“Android Vulnerability Enables Malicious Updates to Bypass Digital Signatures.”
By Michael Mimso