Android FakeID vulnerability....

[ross549]

https://securityledger.com/2014/07/old-apache-code-at-root-of-android-fakeid-mess/

 

The vulnerability was disclosed on Tuesday. It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was introduced to Android by way of the open source Apache Harmony module. It affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications, according to Jeff Forristal, Bluebox’s CTO. He will be presenting details about the FakeID vulnerability at the Black Hat Briefings security conference in Las Vegas next week.

 

In an email statement to The Security Ledger, a Google spokesman acknowledged working with Bluebox to fix the vulnerability. “After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP,” he wrote. “Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability.”

 

Hopefully this gets pushed out FAST.

 

Adam

[securitybreach]

Thanks for the head's up Adam

[Guest LilBambi]

Yes, let's hope this gets pushed out quickly.

[securitybreach]

That and of course, Nexus devices get the updates right away.. Or you can run AOSP(Android OpenSource Project) roms and get the updates as well.

[ross549]

but aren't phone companies notorious for never or rarely patching their os?

(yes, android does other things besides phone...)

 

Yes, LG, Samsung, and others are generally slow to push major updates. Making it harder are the cellular carriers that have their own specific configuration and software. I am not sure about security fixes, though.

 

Adam