A flaw in the Apache Harmony project has come back to threaten every version of Android from 2.1 to 4.4. It makes it possible to load apps that claim to be from almost any legitimate authority.
Perhaps the first thing to say is that the whole matter has been handled responsibly and Google already has a patch that fixes the problem. Whether your carrier has distributed the patch is another matter.
An app's signature, derived from a certificate owned by its creator, determines what the app can do and who can update it. Apps created by companies like Adobe have higher levels of trust hard coded into the OS.
The problem is that the Android package installer doesn't check the authenticity of a certificate chain of an app. For example, you could create a new app with a new signature using a certificate you created. The blog post says:
"you can see for yourself in the createChain() and findCert() functions of the AOSP JarUtils class – there is a conspicuous absence of cryptographic verification of any issuer cert claims, instead defaulting to simple subjectDN to issuerDN string matching. "
You could then claim that your id certificate was issued by, say, Adobe systems. As the installer doesn't check the certificate chain it will accept your certificate and signature and treat it as an Adobe app. This gives your app all of the privileges of a true Adobe app. For example, if you try to load it as an extension to the webview plugin, it checks the app's signature and allows it in as an Adobe app. As a plugin is outside of the browser sandbox, malicious code can do anything it likes.
As an app can be signed by multiple certificate,s this allows a single rogue app to gain the default permissions of lots of other app manufacturers.
The code that causes the problem is apparently in some of the runtime routines provided by the old Harmony project. Apache Harmony was a project that was going to provide an alternative open source JDK to the "official" Oracle Java runtime and libraries. Google uses Harmony as some of the code in its class library. The Harmony project was wound up in 2011 and so to a certain extent the fact that the flaw has survived so long is down to Google.
Google was informed of the bug in April and a patch that fixes it, Google bug 13678484, has been available for some time and has been applied to the AOSP. It has also been verified that there are no apps in Google Play that make use of the exploit.
If you think that using old open source software is a silly security risk, consider the situation if this was old closed software? Would the problem have been found at all?
One of the highlights of the programming year is SIGGRAPH and particularly the video trailer that showcases the work that is being presented. This year's is well worth the three minutes it takes [ ... ]