A serious vulnerability in Android could put millions of devices at risk from attackers modifying code in applications without affecting their signatures.
According to a blog post by GuardSquare, at the core of the issue is that a file can be a valid APK file and a valid DEX file at the same time.
Dubbed the Janus vulnerability, after the Roman god of duality, it stems from the possibility to add extra bytes to APK files and to DEX files.
“On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries (actually more generally, between its zip entries),” said researchers.
They added that the JAR signature scheme only takes into account the zip entries. It ignores any extra bytes when computing or verifying the application's signature.
“On the other hand, a DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc. A file can, therefore, be a valid APK file and a valid DEX file at the same time,” said researchers.
Researchers said that although Android applications are self-signed, signature verification is important when updating Android applications.
“When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update,” researchers added.
“The updated application inherits the permissions of the original application. Attackers can, therefore, use the Janus vulnerability to mislead the update process and get unverified codes with powerful permissions installed on the devices of unsuspecting users.”
Researchers said that an attacker can preapend a malicious DEX file to an APK file, without affecting its signature. “The Android runtime then accepts the APK file as a valid update of a legitimate earlier version of the app. However, the Dalvik VM loads the code from the injected DEX file,” they added.
The flaw affects devices running Android 5.0 (“Lollipop”) and newer versions of the OS. The flaw has been patched by Google, and the patch released to partners in November.
Researchers said that there was no indication that the flaw has been exploited. “Applications that have been signed with APK signature scheme v2 and that are running on devices supporting the latest signature scheme (Android 7.0 and newer) are protected against the vulnerability,” the researchers said.
“Unlike scheme v1, this scheme v2 considers all bytes in the APK file. Older versions of applications and newer applications running on older devices remain susceptible. Developers should at least always apply signature scheme v2.”
Winston Bond, technical director EMEA at Arxan Technologies, told SC Media UK that getting Android updates onto phones is tough. Any code changes from Google have to get through the phone manufacturer's engineering department and the mobile network's customisations and approvals before consumers will even get the chance to ignore them.
“Multiply that by all the phone manufacturers, models and operators and it's obvious that out-of-date Android devices will be a permanent problem. That no-brand phone you bought for US $50 (£37) on a PAYG deal two years ago probably works just fine, but it isn't going to get security patches,” he said.
Bond added that an enterprise can look after itself by delivering their critical internal apps through a MAM solution that can check the relevant information and either block installation or alert the IT department about the risky devices.
“Developers of big consumer-facing apps need to make sure that their apps can look after themselves, particularly by using anti-tampering and anti-reverse-engineering tools,” added Bond.
Steve Lamb, head of cyber-consulting for Europe at Rapid7, told SC Media UK that the risk is that users are tricked into installing fake updates to applications that are likely to function as expected, yet contain malicious backdoor code. “Updates installed from the Google Play store should not contain malware. It's the compelling emails and websites that suggest updates are urgently required that users should be wary of as these will often lead to malware,” he said.
Rusty Carter, VP of Product Management at Arxan Technologies adds in an emails to SC Media UK: "This vulnerability is very large and shows in a very widespread way that the status of an application cannot be trusted on Android. Any application could have arbitrary or malicious code loaded with it to change behaviour and compromise the app and it's data
"To mitigate the problem while patching devices, organisations should ensure that any application accessing a corporate resource is protected via an enterprise mobility solution that includes integrity checking and security such as MAM (Mobile Application Management). Companies should also implement NAC (Network Access Control) to ensure devices on their network are profiled and only patched devices or protected applications can access corporate resources.
"Devices could be patched by updates from Google, delivered by the device manufacturer and/or Mobile Operator. This means that consumers and their applications are at the mercy of updates being provided to their device. Furthermore, devices and handsets that don't support the latest version of Android will likely not get an update and will forever be vulnerable.
"This is an urgent warning to all mobile application developers, as their applications are vulnerable and will remain vulnerable to attack in perpetuity. They will need to protect new versions of their applications, deprecate their API's, and protect API's from access by applications that can't be verified as protected. The first step in securing your business is application protection that provides expert guidance, advanced code and anti-tamper protection, and analytics to track protection status and detect anomalies. Next will be securing data from inside the application all the way to the datacentre (End-to-end data protection) to prevent tampering by potentially compromised environments. Finally, companies should look to application protection vendors that provide all of the above, and address key and API protection that can restrict API access to only proven valid apps."
"Users should verify the version of android their device is running, check with their device manufacturer to see if they have an update that covers CVE-2017-13156. They should also ask their app providers including their banks, mobile payment providers, insurance companies, auto manufacturers (if they have mobile applications that grant access or can manage their vehicle), health & medical devices or services (data or device control), and others that deal with sensitive or private information, to ask how the provider protects their apps and information from tampering, and how they monitor apps running on devices to ensure their security status.”