Recently, Bluebox Security has discovered a serious security flaw in the Android OS that impacts all versions of the OS from 2.1 (Eclair) to 4.3 (Jellybean). In looking at the total number of devices running these OS versions, the impact potential runs into the millions.
Dubbed ‘Fake ID’ by the company that found it, the security flaw would allow a malware app to spoof the certificates of specially privileged parties such as Google Wallet or Adobe, then use those faked credentials to gain control over every app running on the device. That accomplished, the owners of the malware app could then use the control for any purpose from monitoring keystrokes to the wholesale capturing of financial and other confidential information. It is not known for certain, although the potential definitely exists, that this security flaw can impact forked projects such as Amazon’s Fire OS, which grew out of the Android Open Source project.
Not Isolated To Consumer Impact
Given that the Android OS has gained a strong footprint in Enterprise services, this security flaw doesn’t just put personal, consumer-level users at risk, but also Enterprise-level data. In terms of overall impact, it is not as serious as the Heartbleed bug, but was flagged as a serious security flaw and treated as such.
Google has been notified of the bug, and a patch has already been issued to fix the flaw. The patch has been made available to all Android Partners and to the Open Source initiative, and a spokesperson for Google also said that Google Plan and Verify Apps have since been enhanced to protect users from the issue.
What You Can Do To Protect Yourself
It should be noted that a scan of Google Play apps reveals that no one has made any attempts to exploit the security flaw, and now that the patch has been released, the window of opportunity for doing so is closing rapidly. In order to protect yourself and your data, whether at the consumer or Enterprise level, the only thing you need to do is to be sure to download and install the latest patches for the Android OS.
Most people have their devices set to automatically update their apps and their OS, so in the overwhelming majority of cases, this bug was discovered and fixed without your having to do anything. If you have turned your automatic updates off, however, you will want to enable them to get this security patch.
So far in 2014, we have seen an enormous number of serious hacking attacks, ranging from crippling denial of service attacks, to breaches that have led to the theft of confidential data of millions of user accounts. Hand in hand with this we’ve seen several high profile security flaws revealed over the course of the past twelve months, a trend which we can expect to continue.
These kinds of problems are inevitable, and no company regardless of their size or how many resources they apply to QA will be able to remedy the situation. As the complexity of our software continues to grow, these kinds of issues will continue to plague us. The best we can do is to be vigilant, be watchful, and be proactive when it comes to installing the security updates as they are released.