'Fake ID' is an important find, but Google Play and Play Services updates mean most users are already protected
Today security research firm BlueBox — the same company that uncovered the so-called Android "Master Key" vulnerability — has announced the discovery of a bug in the way Android handles the identity certificates used to sign applications. The vulnerability, which BlueBox has dubbed "Fake ID," allows malicious apps to associate themselves with certificates from legitimate apps, thus gaining access to stuff they shouldn't have access to.
Security vulnerabilities like this sound scary, and we've already seen one or two hyperbolic headlines today as this story has broken. Nevertheless, any bug that lets apps do things they're not supposed to is a serious problem. So let's sum up what's going on in a nutshell, what it means for Android security, and whether it's worth worrying about ...
Update: We've updated this article to reflect confirmation from Google that both the Play Store and "verify apps" feature have indeed been updated to address the Fake ID bug. This means the vast majority of active Google Android devices already have some protection from this issue, as discussed later in the article. Google's statement in full can be found at the end of this post.
Eliza Dushku
Adriana Lima
No comments:
Post a Comment