Dan Goodin, at Ars Technica, is writing about a security flaw in Android. It’s got all the usual scary-scary language about doom and gloom, quotes from antivirus peddlers, and it wasn’t long until sensationalist Apple site AppleInsider took it all one step further (relevant). So, is this a real security threat, or are we looking at sensationalism run amok?
This is the issue in a nutshell.
The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.
Sounds serious! Should you be worried? Is it time to stock up on canned beans and switch to a Nokia 3310? Of course, it’s always time to switch to a Nokia 3310, but not really because of this “issue”. Buried deep within the Ars Technica article is Google’s response to the issue.
After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.
First, a patch been sent to OEMs and AOSP, but with Android’s abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed. This means two things.
First, that there are no applications in Google Play that exploit this issue. If you stick to Google Play, you’re safe from this issue, period. No ifs and buts. Second, even if you install applications from outside of Google Play, you are still safe from this issue. Verify Apps is part of Play Services, and runs on every Android device from 2.3 and up. It scans every application at install and continuously during use for suspect behaviour. In this case, an application that tries to exploit this flaw will simply be blocked from installing or running.
As a sidenote, you can actually disable Verify Apps, but unlike what some people seem to think, the dialog you get about sending data to Google when trying to sideload an application has nothing to do with this (that dialog just covers sending data about the application to Google, which is not required for Verify Apps to work). To actually completely disable Verify Apps, you need to go into the Google Settings application (or the Android settings application in 4.2 and up), navigate to Security, and disable it from there.
To get back to the matter at hand: this means that every Android user with Google Play Services is 100% protected from this issue. The only way an Android user can potentially be affected by this issue is if she, one specifically allows installation from unknown sources, and two, specifically disables Verify Apps – all accompanied by several warnings. Luckily, not a single application in or outside of Google Play is currently trying to exploit this issue.
While one can expect sensationalist nonsense from a site like AppleInsider – you don’t blame TMZ for reporting on a fart by Miley Cyrus; you don’t blame AppleInsider for spreading sensationalist nonsense – I’m very disappointed that a respected site like Ars Technica resorts to spreading this kind of fear, uncertainty, and doubt, especially since this isn’t the first time the site has done so.
Recently, it has become very clear that the security industry – antivirus peddlers and similar companies – have focussed all their attention on Android, resorting to all sorts of dirty tactics to scare unsuspecting users into buying their useless software. Since I can’t stress this often enough: do not install antivirus on Android (or iOS, for that matter). It is not needed in any way, shape, or form.
This is not the first time they have tried to spread and exploit fear, uncertainty, and doubt. Back when Windows started properly shoring up its security, Microsoft released MSE, and the mass infections of the early XP days became a thing of the past, they tried to use the exact same tactics to try and scare the rapidly growing number of OS X users into buying their junk.
I advocated against this practice then (more here), and I will advocate against it now. When you come across stories like this, you can almost always assume it’s FUD, whether it covers Android, OS X, or iOS. They almost always originate from antivirus peddlers, who know full well that operating system security – on both desktop and mobile – has increased so much these past decade or so that their core business model is at stake, and as such, they have to drum up the FUD. I just wish respected websites would not dance to their tunes for clicks.
And yes, you should totally get a 3310.
I’ve heard good things about the GateKeeper security software.
Wow, just wow; they took that story and ran for the touchdown. They took this tissue paper and ran up the flagpole for a full 21-gun salute. The comments are just as bad because they ate it up.
Android’s security is awesome, just stick to GooglePlay.
I implore you to present an example of a fully secure mobile OS, that does not rely on external verification of software.
It’s most likely to be a modified Android, rather than anything consumer oriented.
Thom, thank you for your sanity.
Quote: “one can expect sensationalist nonsense from a site like AppleInsider”
One should really expect the AppleInsider folk to mind their own Apple business… unless they are jealous.
I don’t know where you got this idea that Ars Technica is an unbiased site. They’ve had an anti-Andoid agenda for quite a while. How about this piece of lying shit? http://arstechnica.com/information-technology/2014/02/neither-micro…
Ars have multiple editors with different biases. You shouldn’t assign a collective bias to them. Some are much worse than others. Fortunately Ars running truely incorrect stories are still not daily occurances, it just slowly starting to get weekly
I stopped reading ars regularly a while ago. Now I mostly just pop over for the Siracusa OS X reviews. I don’t even USE OS X, but they’re engaging and well written, and keep me somewhat up to date in Apple desktop land.
I read that too and the article wasn’t accurate, the question is, why is making you angry?
Uh… Let’s see here… Because they spread lies about Android which is an OS I happen to like? Doh!
I’m sure you like it, but at a point to be offended as if they have killed your own mother?
Do you own Google shares ? are you a Google employee? do yuo get paid some how? if none of those apply, you need to get a life.
Is just an advice.
Edited 2014-07-29 22:48 UTC
I wasn’t really angry. I was more like annoyed by Ars and most comments here seem to agree with me. I am actually starting to get angry over your comments. My advice to you: keep your effing advice for yourself.
As you wish mister satan666.
Yeah, I liked Ars because they had a content mix that many other sites lacked. But then they started running click bait headline stories, usually related to Android and it got annoying. Then they published that piece full of misleading and outright false information. Read the comments, the writer outright attacks some of the readers including a Google engineer. Sad.
Not only that, but just like pretty much every other ‘general-purpose’ tech site out there (including this one), it has been hijacked by liberals who basically use it as their political soap box. I see articles being put up about diversity, the death penalty, gun control, gay marriage, etc… not exactly tech-centric stuff, and they’re ALWAYS biased, one-sided viewpoints.
Not that I always disagree with them, but it gets old seeing the same talking points being rolled out time after time.
So a story about how the Apple app store is killing indie developers, and then an article defending Android’s security because you’re safe as long as you stick to the app store… in the same day?! Come on Thom. Really?
“Abandon app stores” does not logically follow from “app stores have problems”.
(“The app stores need to be improved” is another possible conclusion.)
Err. The article about App store only focuses on Apple because it’s written by an Apple-centric guy. It applies just as well to Android. Also, to anyone who remembers shareware market it should be clear that App store has some clear advantages. It doesn’t mean that there are no downsides, or that some things cannot be improved.
You’re also safe as long as you haven’t disabled the Google-run watchdog service that you probably don’t even realize looks at your sideloaded apps…
… which was covered in Thom’s column:
Spot on. Aside from this being a monumentally stupid bug, its been patched by Google and wasn’t ever actively exploited. Pretty open and shut.
You’ll have the usual snide comments about Android not getting timely updates, but thankfully in this case, Google had the forethought to implement their Verify Apps service. Good to see it working in the field, or this would’ve gone from sensationalist to disastrous.
The only people that should worry are the sizable amounts using a forked Android which doesn’t do (to my knowledge at least) app verification from Google.
Hopefully Amazon and others roll updates out in a timely fashion.
AppleInsider is just… lol.
Thom,
I get where you are coming from, really I do – and this is not meant to be a slight against anyone in particular, more of a comment on the media in general. Anyway, no matter how FUD like this may appear:
These kinds of things should be reported
Even if there is absolutely zero chance of such a flaw being exploited, or even ever being exploited, it should still be reported – because it happened. The fact that Google f’d something like this up is relevant to users.
Were I a journalist reporting on this story, I would have put much more emphasis on the fact that the flaw was dealt with swiftly, the vendor researched the problem, prepared patches and sent them upstream promptly, and analysis on current apps was conducted and no exploits of it were found in the wild, and protections were put in place immediately to block such rouge apps. But that is me – I think how a vendor deals with problems is way more important than how well they avoid them.
But I still would have reported it.
What is far worse than FUD (if that is truly what this is) is turning a blind eye on certain stories because of what team you root for…
Edited 2014-07-29 21:46 UTC
So that means every user in China and Russia is screwed oh and if you use a third party Rom you might be screwed also!
Nice!
Funny how side loading is a feature when there is no flaw but then we are told not to side load when there is a flaw!
Lol. What a joke.
Oh yeah and last week when that fake BS security story about iOS came out I didn’t see a long drawn out story like this telling us all that that story posted here was a crock of bull. Not even after is was shown to be a crock.
Boy.
Edited 2014-07-29 22:45 UTC
Sideloading is a feature if you download apk’s from a couple of well-known trustworthy developers who aren’t allowed to put their apps in Google Play (AdAway and PSX4droid).
It’s a flaw if you download apk’s from untrustworthy sources. Seriously folks, Android apps and games are pretty cheap, it’s not worth running an antivirus on your phone just to pirate and save a couple of bucks a month.
Oh, and sideloading is a feature that makes your smartphone a computer. If I can’t write a program and install it in my smartphone without having to get permission from the OS vendor, then said smartphone is not a computer, it’s “digital consumer electronics”, aka same category as handheld consoles and satellite receivers (some of them have downloadable games).
Cheers.
Edited 2014-07-30 15:27 UTC
[/q]Oh, and sideloading is a feature that makes your smartphone a computer. If I can’t write a program and install it in my smartphone without having to get permission from the OS vendor, then said smartphone is not a computer, it’s “digital consumer electronics”, aka same category as handheld consoles and satellite receivers (some of them have downloadable games).
Cheers. [/q]
Ahh so because I don’t have the ability to open my device up to all kinds of malware (That people here claim doesn’t exist but everyone from the FBI on down knows does) then my smart phone (Its called a smart phone not a computer) is not worthy.
Interesting that 99% of the people out there who use a smart phone use it as a “Smart phone”
I think I would rather have someone make the system safe and keep it safe, then to make it some what safe, let me make it unsafe and then blame it on me for making it unsafe. LOL!
Then when it don’t work right I have someone to blame then the 30 year line Microsoft and now Google are getting away with. “Well if you loaded apps from trusted sources” “Well if you didn’t click on that link” “Well if you used the play store”
BS.
Your anal sphincter must really hurt after you pulled that out of it.
Just look around you in public transport(assuming you live in a large city where there are people in public transport with expensive devices out). Most of the recreational things people do on their laptops these days are performed on a phone.
LOL! Recreational (Meaning like watching videos or listening to music, things you have been able to do on an iPod and other devices before smart phones came out)
Sorry but you just gave your own answer. You don’t need a computer to do recreational things.
And yes I am from New York city and live in Washington DC.
And that is perfectly fine with me. I assume you use an iOS device, and it fits your needs so whats the problem?
Seriously, not everyone has the same priorities and that is fine. If you are content with the way Apple or whoever manages the security of their products no one is stopping you from buying from them.
What I don’t get is all the glee you seemingly derive from pointing out the problems you perceive with a platform you don’t even use… The fact is, some people want the flexibility to run unsigned apps, or even completely replace their OS – that is a need that is addressed by Android and is not addressed by iOS.
Android allows users to take control of their system back from their vendor if they choose to. Its built that way on purpose. Supporting that requires a somewhat less draconian approach to security than a blanket “you can’t run unsigned apps” policy that cannot be altered.
No amount of hand waving on your part is going to convince anyone that “the Apple way” is better, because frankly “the Apple way” is utterly unacceptable to those people.
This entire discussion is about an Android security flaw. You apparently don’t use Android. Why are you here?
I am here because the site is OS news not Android news. And its funny the Glee everyone gets when fake stories come out about iOS security.
When those are posted, thats just fine bogus or not, but when its an Android story (Which is 100 percent accurate) then Android users get hostile.
Almost like American Republicans. They can fry Obama but then when its flipped back on them how hypocritical they are, they get hostile and want to know why liberals are all in their business. LOL.
Makes me laugh.
And I do use Android, I have a GS5 and a LG Optimus G Pro, mainly so people like you can’t say I don’t know what I am talking about or that I obviously don’t use Android.
Edited 2014-07-31 05:16 UTC
Hey, I still have a 3310. Probably the best phone I ever had.
I have a 3510i ( http://en.wikipedia.org/wiki/Nokia_3510 ), is that good enough? (and yeah, probably the best phone I owned)
FUD
Jailbreak an Apple and nothing will protect you, Root Android and the system still protects you if you don’t disable verification
let me recap:
two days ago you rant how Android security topic is overblown and how people that believe that Android have problem with security are essential delusional:
rant: ^aEURoeTrend Micro caught lying about Android security^aEUR
and now when Google admit that there is problem it is not a really a real problem?
it looks like that you are caught in RDF (Reality distortion field)
btw beside antivirus application on Android, much worst are one for ^aEURoeoptimising^aEUR and ^aEURoecleaning^aEUR system that lot of people install (habit from Windows).
A flaw and a problem are not the same thing. This flaw might become a problem or not. Presenting it as problem, then it’s already being mitigated is a problem.
… i stopped regularly reading them when they had the “omg it’s been 4 days and Apple hasn’t patched vulnerability X” article.
For reference, it was this idiocy: http://arstechnica.com/security/2014/02/four-days-in-and-still-no-p…
So no, Ars is not picking on Android specifically, they’re just going down the drain and you can’t trust their articles any more. The Conde Nast purchase finally shows
Since when is Ars technica a respected site?
Pretty much all their stories sound like advertizing. They are quite obviously taking money from big corporations they write about, most notably Apple. They also actively monitor their comment section and delete anything that does not poor glory on their sponsors.
Most of their stories come directly from big corps like Apple, Microsoft or Google.
I’m going to voice my disagreement. They serve lots of interesting content and especially stuff like their “Web served” – series ( http://arstechnica.com/series/web-served/ ) are my favourites. I certainly don’t agree with your claims and I have not seen this deletion of comments you’re trying to pin on them.
You can see the comments appear and disappear some minutes later.
And the web server articles from 2013 you mention are full of it. I just look at the first one and they start by recommending 2 web hosting services, don’t even say why those 2 instead of one of the other thousands and go as far as providing a totally uneeded big ostentatious picture with their pricing clearly displayed. Then they list the specs of their servers and take care to link each component to a nice link to buy it at Amazon. Totally independant and unbiased…
Edited 2014-07-30 14:11 UTC
Wait, are you saying that they shouldn’t give any examples of what to use? Or are you saying that they should only use examples that you approve of? Regardless of what you’re going to answer both of those stances would be ridiculous. No matter what they had given as examples you’d still go on a tangent about how they’re “advertising” and “biased” and whatnot.
No, sorry, I’m not going to agree with you. It makes totally perfect sense to provide a few example of what and where to look and they don’t even try to make any sort of claim that those are the only possible choices available.
They web hosting services they recommend are not only examples. They RECOMMEND to use them, without any reason given whatsoever. They could have laid the sentence like “of course you can use a web hosting service like that one or that one” but they chose to lay it like “If you want to use web hosting services we recommend this service or this service”. Then they don’t have to put an ostentatious picture of the pricing offered by those services. Those interested can find it on the web site they already linked to. Doesn’t that sound like an advert? If if quacks like a duck…
About the “example” of computer parts they use, they could very well link to the manufacturer site or some neutral source like wikipedia. But they use Amazon, where only commercial information is available and where you can directly buy the product. And that’s not just a link on Amazon’ page about the product, it’s a link with a tracking id. They definitely get money for that one.
Is that wrong? No it isn’t. They have to make money somehow. Should you take Ars Technica as a neutral source? Definitely not. There are countless sources where you can find tutorials to setup a web server. Most of them have a clear business model. Some of them are gratis and are using adverts to get revenue but those adverts are clearly delimited in a specific section. Some of them are totally free and funded by unervisities or donations. Some of them are paid for. Ars Technica is entertaining but their advertizing is pervasive and hard to tell apart from content. Slashdot has slashvertizments but you can spot them more easily. Just look at the comment section where all posters downplay the article as advert. OSAlert is kind of the best in that regard. I think you can trust Thom to be totally independant and he has proven it multiple times, although it’s sad he can’t make a living out of it. Ars Technica not so much. I mean look: Thom links to wikipedia when he recommends the Nokia 3310 and that phone is not even sold. Obviously the Nokia 3310 is awesome.
Edited 2014-07-30 21:52 UTC
Google Play and Verify Apps scan applications and look for suspicious patterns that *could* indicate that the vulnerabilities may be exploited.
However, both Google’s Play scanning and Verify Apps can be circumvented through obfuscated code. It is but heuristics after all.
And if someone does decide to exploit this, there is a chance that they can figure out a way to game the pattern scanning and slip a malicious app through.
Thom, your bias is showing.
I have no idea why you were modded down when you’re entirely correct. It wouldn’t be the first time Google’s security scans have been fooled, even their Guardian or whatever its name is that they use to police apps on Google Play has been provably fooled plenty of times.
Not only that, but these things only protect you if you’re using Google’s services; if you don’t have them installed you’ll still be vulnerable.
Yup. Either virus scanners ( including verify apps) are snake oil or they aren’t. You can’t have it both ways.
Not sure what bias that is. He’s kind of demonstrated in the past that he has trouble contextualizing security issues. Its not intentional, just a blind spot. There is a problem, most people do one of two things: Dismiss it as not a problem or declare the end of the world. Security isn’t an absolute binary. People ( including Thom) have trouble understanding that.
I think of virus scanners as just one security mechanism – out of many – which can provide security in-depth.
An attacker determined to exploit this bug may very well be able to develop an app that can pass through the Verify and other scanners. Or he may use a vulnerability in another app to execute code on the device and use this vulnerability in a blended attack to elevate his privileges.
The next logical step for the modern day attacker would then be to *automate* the attack, e.g. by using one of the many compromised servers to serve an attack cocktail.
Visitors to the sites will then have their devices compromised.
So what good is the security verifiers/scanners then?
Because once the attack becomes widespread it *will* be picked up upon, analysed and new patterns added to the scanners to discover malicious apps.
So while the scanners/App Verify will not be any guarantee against exploitation of this bug, they may just provide some protection for the masses and limit the proliferation.
But blindly referring to the scanners/App Verify as a *guarantee* the malicious code exploiting this vulnerability is complacent ignorance.
This IS a VERY serious problem. Vigilance on part of Google may help curb exploitation rates if/when it gets exploited, but it absolutely CANNOT prevent exploitations in the first place, as Thom seems to suggest.
NEVER, ever put all your trust in one single security mechanism. If App Verify is so effective that it can prevent exploitation of this, why would we need the other security mechanisms and the privileges in the first place?
The answer, of course, is that App verify and other scanners ARE NOT security boundaries and ARE NOT perfect.
Edited 2014-07-30 15:51 UTC
Yup. Give the man a cigar.
In this case Google doesn’t need a heuristic, they can just apply the fixed non-broken certificate check, and the broken check on the phone doesn’t matter.
The check on the phone only matters if you download and install unverified applications from untrusted sources. In that specific unlikely and self-inflicted case, the app can be pretend to be from someone they are not.
Sorry, Thom is right and Ars and you are wrong.
Edited 2014-07-30 20:53 UTC
I’ve personally found a number of the security articles coming out of Ars to be more than a little sensationalist. For instance, in the fallout from the heartbleed bug it occurred to me that their articles were more geared at sensationalist link baiting than actually doing a good job at technical journalism.
Even more recently this following article really irked me too for exactly the same reason.
http://arstechnica.com/security/2014/07/only-a-few-days-old-openssl…
Maybe its just how Dan Goodin approaches his articles or maybe its from his editors, or maybe I’m just crazy.