google2012 Posted July 30, 2014 Report Posted July 30, 2014 Google's Android operating system has been caught with a Fake ID—a vulnerability that allows malicious apps to impersonate trusted services without user notification. Recently discovered by the Bluebox Securityresearch team, "Fake ID" allows individual application identities to be copied and used to hijack your phone and infiltrate user information. "Every Android application has its own unique identity, typically inherited from the corporate developer's identity," Bluebox CTO Jeff Forristal wrote in a blog post. The bug, however, will copy the identifies and use them "for nefarious purposes." The widespread flaw dates back to the early-2010 release of Android 2.1; all those running a pre-Android 4.4 KitKat device may be vulnerable. According to Bluebox, Google essentially dropped the ball on checking that applications actually are what they say they are—hence the name "Fake ID." Using this vulnerability, hackers could pose as Google Wallet to access NFC financial and payment data, or take control of an entire device by imitating enterprise security service 3LM. "Application signatures play an important role in the Android security model," Forristal wrote "An application's signature establishes who can update [it], what applications can share its data, etc." "The Android package installer makes no attempt to verify the authenticity of a certificate chain; in other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim (normally done by verifying the issuer signature of the child certificate against the public certificate of the issuer)," he continued. Google did not immediately respond, but did tell BBC News that it has created a fix. "We appreciate Bluebox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users," a spokeswoman told the news site. "After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project." But, as the BBC points out, thousands of susceptible mobile devices have not been sent the fix by network operators, and manufacturers are still open to attack if they download certain apps from outside of the Google Play store. Android users may have more than a Fake ID working against them: Late last month, IBM security researchers revealed a high-risk bug that affects Android 4.3, which runs on more than 10 percent of Android devices. https://bluebox.com/blog/technical/android-fake-id-vulnerability/
google2012 Posted July 30, 2014 Author Report Posted July 30, 2014 how much trustable this app man? you can install man.. no issues..
alpachinao Posted July 30, 2014 Report Posted July 30, 2014 you can install man.. no issues.. done no issues uninstalled... i already have CM SECURITY APP
google2012 Posted July 30, 2014 Author Report Posted July 30, 2014 done no issues uninstalled... i already have CM SECURITY APP cool man.. i did too.. no issues for me too
.thumb.jpg.ce42bb16ec102475a78c2087ce269c7d.jpg)
Recommended Posts