Android's code signing can be bypassed
Source: Bluebox
Android applications carry a signature that is designed to ensure APK package integrity. During installation, the operating system will use the signature to validate the package contents, and an alert will be issued if a manipulation is detected. US firm Bluebox, which was only founded in mid-2012, claims to have discovered a bug in this approach that allows arbitrary code to be injected into APK files without invalidating the signature.
The company plans to release further details of bug 8219321, which was reported to Google in February 2013, at the Black Hat security conference on 1 August 2013. The company issued a cryptic tweet in March saying it would give more information about 8219321 in 90 days.
The bug has apparently existed since Android 1.6 (Donut), which was released around four years ago. The fix is only two lines long. According to the Australian CIO who talked with Jeff Forristal, CTO of Bluebox, only Samsung has so far provided an update to close the hole in its Galaxy S4. Google plans to fix the Nexus and open source version of Android in the near future, says the Bluebox CTO. Apps in Google's Android Play Store are not affected by the security hole; Google has, says Forristal, set up checks on apps being allowed into the store and has checked all the apps currently in the store.
Bluebox says that the hole is particularly dangerous in connection with software that is released by the device manufacturer – as this type of software enjoys higher privilege levels than normal apps, manipulating such APK packages could allow potential attackers to obtain arbitrary privileges on the device. However, successful attackers must have access to these files. A screenshot of a manipulated system app is offered as proof of the bug's existence with the string "Bluebox" appearing in the baseband software's version number.
It is currently unclear whether the hole affects installed software, whether attackers inject a bogus update with a seemingly correct signature or whether the issue only arises when a program is first installed. It is worth noting that Google blocked non-Play-Store updating in April this year.
(djwm)