The cryptographic key proves an update is legit, assuming your OEM doesn't lose it:
A developer's cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the signing key of the old app on your phone needs to match the key of the update you're installing. The matching keys ensure the update actually comes from the company that originally made your app and isn't some malicious hijacking plot. If a developer's signing key got leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they are legit.
On Android, the app-updating process isn't just for apps downloaded from an app store, you can also update bundled-in system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled-in Android system apps have access to much more powerful and invasive permissions and aren't subject to the usual Play Store limitations (this is why Facebook always pays to be a bundled app). If a third-party developer ever lost their signing key, it would be bad. If an Android OEM ever lost their system app signing key, it would be really, really bad.
Guess what has happened! Łukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.
Previously: Android Password-Stealing Malware Infects 100,000 Google Play Users
Originally spotted on Schneier on Security.
Related Stories
Android password-stealing malware infects 100,000 Google Play users:
A malicious Android app that steals Facebook credentials has been installed over 100,000 times via the Google Play Store, with the app still available to download.
The Android malware is disguised as a cartoonifier app called 'Craftsart Cartoon Photo Tools,' allowing users to upload an image and convert it into a cartoon rendering.
Over the past week, security researchers and mobile security firm Pradeo discovered that the Android app includes a trojan called 'FaceStealer,' which displays a Facebook login screen that requires users to log in before using the app.
(Score: 2) by krishnoid on Monday December 12, @10:30PM (1 child)
Can the issuer revoke keys, or only "certificates?" Can you revoke certificates? How does that work?
(Score: 2) by Immerman on Tuesday December 13, @02:27AM
It depends entirely on the infrastructure.
If, as the summary suggests, the extent of Android's app security verification is making sure an update is signed by the same key as the original, then no.
The only way to revoke a key (or certificate for that matter) is if you have an official database online that the security system checks to see if the key is valid. For certificates that's usually not a problem, because you're already verifying it with the issuing certificate authority. At the simplest you can just remove the certificate from the database and any attempt to verify it will come back "that certificate is not found, it must be fraudulent"
A key though? That's just a number plugged into a cryptographic formula. And simple systems are often built on the assumption that you'll actually keep your key secret. Sort of like how physical locks offer no protection against someone who has stolen the physical key.
(Score: 3, Informative) by Thexalon on Monday December 12, @10:34PM (5 children)
I'm getting a sense of deja vu [soylentnews.org]. Probably a side-effect of the various database issues our admins have been dealing with.
I'm also getting some green-site nostalgia: Dupes were almost a tradition over there!
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by fliptop on Monday December 12, @10:49PM (2 children)
You may be correct, my bad. I figured out today (after posting this story) that the SN search utility doesn't seem to be finding stories published after Nov 21st. Upon the suggestion from fab23 in IRC I've been using DDG instead to search for stories to avoid submitting a dupe.
To be oneself, and unafraid whether right or wrong, is more admirable than the easy cowardice of surrender to conformity
(Score: 2) by Freeman on Monday December 12, @11:29PM
Ah, nice. Stuff be broke man. Hopefully will be taken care of Soon™.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Thexalon on Monday December 12, @11:38PM
Yup, I figured it was something like that, which is why I wrote:
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Snotnose on Monday December 12, @11:38PM (1 child)
I think you meant deja moo. I've seen this bullshit before.
I just passed a drug test. My dealer has some explaining to do.
(Score: 0) by Anonymous Coward on Tuesday December 13, @06:49AM
(Score: 1) by MonkeypoxBugChaser on Wednesday December 14, @12:57AM
A whole bunch of devices can probably be rooted or otherwise jailbroken now.