I was listening to the excellent Risky Business analysis of the Droidpocalypse this week, and I’m happy to report that the vulnerability that affects 90% of Android devices ever made, while serious, is vastly overstated.
It’s overhyped because someone in position to exploit this bug would still be in position to do nasty stuff. One could only exploit this bug by gaining control of a developer’s account and uploading the bad package to the Play Store, Amazon’s App Store, or some other third-party app store. Because the connection between the device and the store is encrypted, it wouldn’t be possible to get in between the device and the store and inject the infected file, a detail that was missing in every account of this vulnerability that I’ve seen.
Basically, all this bug would allow someone to do is to hide their malicious code. Then again, if I wanted to 0wn devices, why wouldn’t I just post an update, so a bunch of devices would download my malware?
The people who are really vulnerable to this are the people who download pirated Android apps–and that’s assuming the pirates check the checksums on their warez. Most probably don’t, so they’re vulnerable to malware, with or without this bug.
Let’s talk about the bug.
An APK file is just a zip file. Zip files don’t normally support two files with the same filename, but some implementations will roll with it. Android’s does. When you have multiple files with the same name and path in the file, it calculates the checksum with the first, but the last one is the one that ends up being written to the device.
So, while very serious, it’s incredibly difficult to put yourself in position to use it. Adobe fixes something worse than this in one product or another practically every month.
This story stems from a researcher’s upcoming presentation at a security conference, exactly like my once and present colleague Rich and the wifi-hacking aeroplane he and his buddy built in Rich’s garage. I helped Rich and Mike with the publicity running up to their presentation. If I’d known then what I know now, I could have turned their presentation into a media circus two months long.
And I would have only felt slightly bad about doing it. Because while it would have involved preying on the media’s fear, uncertainty and doubt, warflying remains a serious vulnerability that far too few people have addressed.
Meanwhile, while this is a very cool finding, its impact on Android users who behave themselves is minimal, especially because Google learned about it in advance and took precautions both on their end and on the device end. Because this bug was disclosed responsibly, now this is a cool Defcon presentation, but little more.