July 10, 2013

The Android Bug 8219321

There's a lot of talk about an Android security bug that affects almost all the Android devices. Jeff Forristal from Bluebox Security reported that "the vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature. Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security's close relationship with Google in February 2013."

So the bug could allow someone to create a modified version of an system app and trick other people to install it. The modified version could include malicious code.

Actually, the bug is simple: APK files are ZIP archives and Android allows APK files to include files with the same name. "It's a problem in the way Android handles APKs that have duplicate file names inside," says Pau Oliva Fora, security engineer at security firm ViaForensics. "The entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK - the injected one that can contain the malicious payload and is not checked for signature at all."

The problem is that Android supported duplicate file names in APKs and the patch removed this support. The patch is extremely simple: return an error if the APK file has duplicate file names.


Apparently, Geremy Condra from Google wrote a patch in February. "Google made changes to Google Play in order to detect apps modified in this way and a patch has already been shared with device manufacturers," informs ComputerWorld. CyanogenMod included the bug fix in the latest release, faster than OEMs and even Google, which didn't update Nexus devices to address this issue.

The bug #8219321 is now a test that will show us how fast Google, OEMs and carriers can deploy security patches. For now, CyanogenMod is the place to go to get the latest features and security patches.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.