Today security research firm BlueBox — the same company that uncovered the so-called Android "Master Key" vulnerability — has announced the discovery of a bug in the way Android handles the identity certificates used to sign applications. The vulnerability, which BlueBox has dubbed "Fake ID," allows malicious apps to associate themselves with certificates from legitimate apps, thus gaining access to stuff they shouldn't have access to. Security vulnerabilities like this sound scary, and we've already seen one or two hyperbolic headlines today as this story has broken. Nevertheless, any bug that lets apps do things they're not supposed to is a serious problem. So let's sum up what's going on in a nutshell, what it means for Android security, and whether it's worth worrying about ... Verizon is offering the Pixel 4a for just $10/mo on new Unlimited lines Update: We've updated this article to reflect confirmation from Google that both the Play Store and "verify apps" feature have indeed been updated to address the Fake ID bug. This means the vast majority of active Google Android devices already have some protection from this issue, as discussed later in the article. Google's statement in full can be found at the end of this post.

The problem — Dodgy certificates 'Fake ID' stems from a bug in the Android package installer. According to BlueBox, the vulnerability stems from an issue in the Android package installer, the part of the OS that handles the installation of apps. The package installer apparently doesn't properly verify the authenticity of digital certificate "chains," allowing a malicious certificate to claim it's been issued by a trusted party. That's a problem because certain digital signatures provide apps privileged access to some device functions. With Android 2.2-4.3, for instance, apps bearing Adobe's signature are given special access to webview content — a requirement for Adobe Flash support that if misused could cause problems. Similarly, spoofing the signature of an app that has privileged access to the hardware used for secure payments over NFC might let a malicious app intercept sensitive financial info. More worryingly, a malicious certificate could also be used to impersonate certain remote device management software, such as 3LM, which is used by some manufacturers and grants extensive control over a device. As BlueBox researcher Jeff Foristall writes: "Application signatures play an important role in the Android security model. An application's signature establishes who can update the application, what applications can share it's [sic] data, etc. Certain permissions, used to gate access to functionality, are only usable by applications that have the same signature as the permission creator. More interestingly, very specific signatures are given special privileges in certain cases." While the Adobe/webview issue doesn't affect Android 4.4 (because the webview is now based on Chromium, which doesn't have the same Adobe hooks), the underlying package installer bug apparently continues to affect some versions of KitKat. In a statement given to Android Central Google said, "After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project." Google says there's no evidence 'Fake ID' is being exploited in the wild. Given that BlueBox says it informed Google in April, it's likely any fix will have been included in Android 4.4.3, and possibly some 4.4.2-based security patches from OEMs. (See this code commit — thanks Anant Shrivastava.) Initial testing with BlueBox's own app shows that the European LG G3, Samsung Galaxy S5 and HTC One M8 are not affected by Fake ID. We've reached out to the major Android OEMs to find out which other devices have been updated. As for the specifics of the Fake ID vuln, Forristal says he'll reveal more about at the Black Hat Conference in Las Vegas on Aug. 2. In its statement, Google said it had scanned all apps in its Play Store, and some hosted in other app stores, and found no evidence that the exploit was being used in the real world.

The solution — Fixing Android bugs with Google Play Through Play Services, Google can effectively neuter this bug across most of the active Android ecosystem. Fake ID is a serious security vulnerability that if properly targeted could allow an attacker to do serious damage. And as the underlying bug has only recently been addressed in AOSP, it might appear that the great majority of Android phones are open to attack, and will remain so for the foreseeable future. As we've discussed before, the task of getting the billion or so active Android phones updated is an enormous challenge, and "fragmentation" is a problem that's built into Android's DNA. But Google has a trump card to play when dealing with security issues like this — Google Play Services. Just as Play Services adds new features and APIs without requiring a firmware update, it can also be used to plug security holes. Some time ago Google added a "verify apps" feature to Google Play Services as a way to scan any apps for malicious content before they're installed. What's more, it's turned on by default. In Android 4.2 and up it lives under Settings > Security; on older versions you'll find it under Google Settings > Verify apps. As Sundar Pichai said at Google I/O 2014, 93 percent of active users are on the latest version of Google Play services. Even our ancient LG Optimus Vu, running Android 4.0.4 Ice Cream Sandwich, has the "verify apps" option from Play Services to stand guard against malware. Google has confirmed to Android Central that the "verify apps" feature and Google Play have been updated to protect users from this issue. Indeed, app-level security bugs like this are exactly what the "verify apps" feature is designed to deal with. This significantly limits the impact of Fake ID on any device running an up-to-date version of Google Play Services — far from all Android devices being vulnerable, Google's action to address Fake ID via Play Services effectively neutered it before the issue even became public knowledge. We'll find out more when information on the bug becomes available at Black Hat. But since Google's app verifier and Play Store can catch apps using Fake ID, BlueBox's claim that "all Android users since January 2010" are at risk seems exaggerated. (Though admittedly, users running a device with a non-Google-approved version of Android are left in a stickier situation.)