The security of Android app updates hinges on the secrecy of a given app's signing key. It's how app updates are verified as secure, and if it falls into the wrong hands, false updates could be distributed containing nefarious changes. As a result, developers usually guard signing keys quite closely, but someone at Facebook seriously messed up. A key used by the company to digitally sign its Free Basics by Facebook app has been compromised, and third-party apps reusing the key have been spotted online.

After APK Mirror and Android Police owner Artem Russakovskii discovered the issue and reported it to Facebook, the original app listing was pulled from the Play Store and replaced with a new app using a new signing key. Since then, the company has not publicly divulged the nature of the compromised key or the precise reason for the re-released app to its users, placing them at risk if they still have the old version installed. Before the listing was removed, the original Free Basics by Facebook app had over five million downloads on the Play Store.

In the past several weeks, I noticed a bunch of random APKs being uploaded with @facebook's crypto signature used in its Free Basics app. Upon closer examination, they either used a public debug key or the key got leaked. Either way, this is dumb, FB.https://t.co/71uSMPO8YP — Artem Russakovskii (@ArtemR) August 9, 2019

What happened?

Android Police's sister site APK Mirror hosts Android apps for download. We do it for several reasons: to circumvent censorship, so enthusiasts can download updates before they're widely rolled out, to mitigate geographic restrictions, and to provide a historical archive for comparison and ease of rolling back updates, among other reasons. We're especially concerned about security, given how dangerous downloading apps from third-party sources can be, so we go out of our way to manually review and vet every APK that hits the site.

In the last month, we've spotted third-party apps using a debug signing key which matched the key used by Facebook for its Free Basics Android app. (As an aside, using a "debug" key in production is also not a best practice for developers, let alone one of Facebook's reach and stature.)

We notified Facebook about the leaked key earlier this month, and the company verified it, pledging to address the issue in a new version of the app, which the company claims it has prompted users to upgrade to from inside the old app. Based on details provided to us by Facebook, the precise reason why customers need to upgrade isn't included in that prompt, and it hasn't published details regarding it elsewhere.

The listing for the Free Basics by Facebook app has since been pulled from the Play Store and replaced with a new listing utilizing a new app signing key. We aren't sure of precisely when the app was de-listed, as the last Internet Archive backup of the listing was in July, and the replacement app landed on August 14th. Facebook claims that it released a new version of the app within 24 hours of Russakovskii's report. APK Mirror is also not accepting uploads that use the compromised key.

Technical details: how signing keys work

APK Mirror can provide folks with apps securely because Android apps are digitally signed by their developers, giving them a cryptographic signature that verifies the package as legitimate, regardless of its source. Of course, that security is entirely dependent upon developers keeping their app's signing key secret; if it's publicly available, anyone can sign an app that claims to be an update to their app, and consumers' phones will happily install right over the top of the real app. So losing or leaking a signing key is a big problem.

To make things a bit easier for developers, Google started a service which allows developers to store app signing keys on its servers instead. The "Google Play App Signing," as it's called, means that app keys can't ever be lost and compromised keys can be "upgraded" to new keys. However, not all developers take advantage of this new service. If you follow Google's recommendation and destroy your local copy of the key after migrating, you can no longer distribute apps with a single key outside the Play Store. In many cases, it's simpler for developers targeting multiple avenues of app distribution to manage signing keys themselves. (Android 9 Pie also supports a new "key rotation" feature which securely verifies a lineage of signatures in case you need to change them, but it'll be a while before every phone supports it.)

If signing keys fall into the wrong hands, third parties can distribute maliciously modified versions of the app as updates on venues outside the Play Store, and potentially trick sites similar to APK Mirror that rely on signature verification. Someone can easily upload a fake app that looks like it was made by Facebook to a forum or trick less wary APK distribution sites into publishing it based on the verified app signature. Customers who stick to official sources like the Play Store should be safe, but folks used to sideloading apps or prompted to follow steps they don't fully understand are at risk.

Also, note that any updates to the older Free Basics app delivered by the Play Store would still require the credentials for an account associated with the app's Developer Console, so you would not have had to worry about downloading malware-laden versions from Google's (now defunct) listing for the compromised app.

We've already spotted third-party apps using the Free Basics by Facebook's signature being distributed in the wild, so the effective "exploit" which is presented by the compromised security key is actively being used. Although we provided Facebook with evidence regarding these third-party apps using the Free Basics signing key, the company maintains it has "seen no evidence of abuse." Apparently, third-party use of an app's signing key does not constitute abuse in Facebook's mind, though we personally consider any re-use of the leaked key to imply deliberate and potentially malicious intent.

New app, who dis?

To fix the issue, Facebook had to release a new app on the Play Store with a new application ID, effectively changing the app's system-facing "name" as well as its signing key. We're told by Facebook that the app was re-released with the new key within twenty-four hours of Russakovskii's report, though Play Store records indicate it was last updated on August 14th, five days after the company responded to his reports regarding the leaked key. The previous app listing reported over five million installs, while the updated version with the secure key counts less than 50,000 — either a whole lot of people stopped using the app, or most folks haven't updated to the new version yet.

Free Basics by Facebook

The Free Basics by Facebook app probably wasn't used by most of our readers, it was meant for customers with limited or prohibitively expensive data in developing countries. You might remember the outrage over net neutrality regarding the app, which provided access to a handful of services via zero-rated data, as it pushed those same users into Facebook's ecosystem. The app was ultimately banned in India over those net neutrality concerns, and it's been quietly exiting other markets in recent years. There were also accusations by the U.N. that Facebook may have incited genocide in Myanmar before pulling the plug for the Free Basics service in that country.

Unfortunately, the fact that this application served those in emerging markets makes this problem even worse, from our perspective. Folks just coming online are less likely to understand the security implications of installing apps from unknown sources on Android devices. A link claiming to provide a cracked game or free media could just as easily point them at opportunistically titled and signed malware. With the right package name, icon, and app signature, they wouldn't even know which app to uninstall if they weren't paying attention. Forum listings ostensibly advertising a cracked ad-free YouTube app could actually install a malicious update on top of Free Basics by Facebook. The malware-laden app could then potentially read the existing app's data and log information input or sent to it.

Like any sideloaded app distributed outside the Play Store, it could also take advantage of any platform weaknesses present — older phones are often used in emerging markets, and the Free Basics app does support and target software as old as Android 4.2 Jelly Bean. By itself, the leaked security key doesn't mean that every phone running the older version of the Free Basics by Facebook app is immediately compromised, but it is a complicating detail that enables an extra avenue for potential security issues.

The new app's Play Store listing.

The old app is ostensibly telling users to move to the new version, but we can't find the specific statement provided to customers. A spokesperson told us that users were simply notified of the requirement to upgrade in the old app. We can't check the old app or the specific message sent to customers ourselves, either, as it doesn't appear to work outside specific markets (even with a VPN, we tried). Requests for the specific message provided to customers by Facebook were ignored. However, the new app listing on the Play Store makes no mention that the security of the old app has been compromised by the leaked signing key, and we can't find any disclosure about how this leak impacts user security anywhere on Facebook's site or the internet.org site (ostensibly the collaborative effort behind the Free Basics app).

So far as we can tell, Facebook has not made a public announcement specifically regarding the security of the older app and the fact that the signing key has been compromised, although information regarding the signing key has been public for weeks and apps making use of it have been distributed for at least as long.

When asked for a statement, a company spokesperson provided us with the following:

We were notified of a potential security issue that could have tricked people into installing a malicious update to their Free Basics app for Android if they chose to use untrusted sources. We have seen no evidence of abuse and have fixed the issue in the latest release of the app.

Answers provided by the spokesperson to follow-up questions regarding how the app's security key may have leaked didn't offer an explanation, though we were told that the app should not be pre-installed on any Android phones, or at least the company doesn't "support" that practice. Questions regarding how the company planned to disclose the app's lapse in security to users were dodged, with the spokesperson telling us the company was simply requiring users to upgrade to the latest version.

It isn't clear if Facebook plans on directly explaining to Free Basics' current users that its contentious, net neutrality-defying app also constituted a security risk. The company is known for its lax approach to security these days, but at least it saw fit to notify customers and the public in general of the details in those cases.

We encourage anyone using Free Basics by Facebook to uninstall the old version of the app and migrate to the new version as soon as possible. While nothing about the old app is inherently compromised, it could be used as a vector for the delivery of fraudulent updates via sideloading, especially among less technical consumers unfamiliar with best security practices and used to downloading apps from third-party sources, such as those in emerging markets that the app explicitly targets.