Bluebox mobile security company has recently found out a major vulnerability which affects Android’s trusted certificate chain and has been unpatched since Android 2.1 Eclair which was released in January 2010. Since then and till now this vulnerability remains unpatched and can affect all Android devices. This affects all devices which have not been patched for Google bug 13678484, which is almost all devices.
This vulnerability has serious implications in the sense that malicious applications can claim themselves to be legitimate applications and gain access to your device and sensitive data very easily. The vulnerability is present due to the way Android devices use IDs and security certificates for applications.
To see how this vulnerability works let us first consider a small example. Whenever you connect to a website, you are passed an SSL certificate say from Verisign which tells your browser that this site is who it claims to be and is verified by us. But your browser has no way to know if this certificate is real or not, so the browser checks your computer for a Verisign Master certificate. It uses this certificate and compares the given certificate to validate it. Now the master certificate is called the parent certificate and all the other certificates are basically child certificates and parents thus can verify the authenticity of their childs.
The app identification and certification model works very similarly in Android which is in theory a very good system as it is already used safely all across the web, except Android has a small bug. Whenever a website claims its certificate is issued by another authority a check is made to see whether or not it was true, but Android’s cryptographic module makes no attempt to do so. As we know a parent can validate a child identifier, a child can claim that it is a child of a particular parent and Android will just allow it to go through without comparing and verifying this claim.
In Android each application has its own Trust ID, which is in its identification certificate. This ID basically dictates the permission control system and the actions the application can perform. Most Android Phones from vendors like Pantech, Motorola, HTC, Sony etc come with a device administration module called the 3lM module. So now a malicious application can be made claiming that it is the child of the 3LM master certificate. This basically means the app has got itself the device administrator privileges.Similarly an app can claim to have the identifier of Google Wallet. Now as Google Wallet has special permissions to access the device’s NFC hardware, the rouge app gets that permission as well and can snoop on your NFC payments. A Similar thing can happen if the rouge app claims to be from Adobe Web view, as it will be set as the default web-view plugin in all apps. This is a very serious issue and what's more complicated is the fact that Android allows an application to be signed with multiple identities ie certificates. This means a malicious hacker could make a single application which can exploit all of the above vulnerabilities. Just think if the app signs itself as True-caller, then it will also be permitted to eaves drop on all incoming and out-going calls.
Status of a fix.
Currently Google has released a fix for this vulnerability so no need to worry. It has been distributed to various phone vendors who will/would have already supplied you with the update and fix. Google also regularly scans apps in the play-store to make sure they have proper certificate chains, so if you only use the play store to install apps then you are pretty much safe, but if you do sideload apps then you maybe exposing yourself to this risk.