Android Keystore, the encryption system used on Android devices to store cryptographic keys and user credentials could be attacked to reveal sensitive information, claim security researchers.
In a research paper, titled Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore, Mohamed Sabt and Jacques Traoré, two researchers at Orange Labs, claimed that the encryption scheme in use by the operating system doesn't provide integrity, which means that an attacker is able to undetectably modify the stored keys.
They also demonstrated that the flaw could be exploited to define a forgery attack breaching the security guaranteed by the KeyStore. In particular, the researchers added, their attack allows a malicious application to make mobile apps to unwittingly perform secure protocols using weak keys.
They outlined an attack scenario in which an application entrusts the KeyStore with its symmetric key.
“Our attack lulls users into a false sense of security by silently transforming, for instance, 256-bit HMAC keys into 32-bit ones. This allows a malicious third party that controls the network to break any secure protocol based on these weak keys. Such an attack might constitute a real threat, since it could happen undetected,” said the researchers.
It added this attack affects the latest Android build.
“The purpose of the forgery attack is that given a ciphertext of a symmetric key, the adversary can fabricate another ciphertext that decrypts to a shorter key,” the researchers said.
“The threat is concrete: the attacker goes undetected while compromising the security of users,” said the researchers.
The paper highlighted that intuition often goes wrong when security is concerned.
“Unfortunately, system designers still tend to choose cryptographic schemes not for their proved security but for their apparent simplicity,” said the researchers. “This is not a good choice, since it usually results in severe consequences for the whole underlying system.”
The researchers said that the quickest solution to fixing the problem would be to keep the hash-then-encrypt paradigm and use it with another encryption mode.
“The Counter (CTR) mode is often perceived as being advantageous to other modes. However, we prove that the scheme Hash-then-CTR-Encrypt does not provide integrity either,” they said.
The pair said the research was disclosed to Google in January and added that the Android Security team confirmed that the encryption scheme is planned for removal.
Javvad Malik, security advocate at AlienVault, told SCMagazineUK.com that this attack against the Android keystore highlights that even for well-funded projects like Android, there is a security gap that lies between cryptographers or the cryptographic requirements – and the developers and system designers that have to implement it.
“There are many well-tested and established secure methods that are available to store credentials, and those should be given preference. Whenever a system designer decides to implement their own method to store credentials, the chances are they will not stand up to rigorous testing,” he said.
“While this current attack may be limited in scope – history has shown attackers have been creative in ‘productionising' attacks. Unfortunately, with flaws that exist in the OS itself, there are limited steps organisations can take to protect themselves – rather, they have to remain vigilant and monitor activity – looking for anything anomalous. In addition, keeping a close eye on threat intelligence from the market for information on if and when such attacks are out in the wild will help organisations be prepared.”
Mark James, security specialist at ESET, told SC that there's always been a compromise between simplicity and effectiveness in all aspects of security.
“For security to be effective it has to be manageable, along with manageability there comes a need for integration with skill sets. People like to feel comfortable and often it's easier to go with the flow rather than look at new or challenging ways to accomplish a certain task.”