Bluebox Labs, the mobile security research team at BlueBox Security, announced the discovery of an Android flaw they have dubbed “Fake ID”. “Fake ID” exploits a device’s digital signature, which Android uses to verify that apps are who they say they are.
Essentially, the issue is that while Android checked that an app had the correct ID before granting it special privileges, it failed to check that the ID was in fact valid and not forged. As reported to the BBC, the researchers liken it to a visitor flashing his valid-looking badge to a security guard, but the guard failing to call the employer of that visitor to verify he is who he says he is. “Fake ID” is concerning because no action or approval is required of the device owner and any actions taken are hidden. In one example, the faked certification signature could be exploited by an app to impersonate Google Wallet to obtain payment data. The flaw is said to affect Android from the January 2010 release of 2.1 up to Android 4.3.
For in-depth technical details on how the exploits work, see Bluebox Lab’s post here.
Does this affect the LastPass Android app?
If you do not install apps from untrusted sources, you're likely safe. Google has scanned all of the apps in the Google Play store, and confirmed they have not seen anyone attempt to exploit this flaw to date. Since the flaw has just been released, it is unlikely that any malware has been written to take advantage of it yet.
Because it can be used to exploit this flaw, we have disabled the Adobe Flash plugin from loading in the LastPass browser, and have issued an update to our app. This affects only Android 4.3 and earlier, since Android 4.4 and later does not include Flash, and is therefore not susceptible to this bug. Even if a malicious app were to gain control of the device, all it would be able to get from LastPass would be a highly encrypted, unusable blob of data. Disabling offline access in the LastPass app’s preferences would also prevent this blob from being stored locally.
Advice on actions to take:
While this flaw is serious, most Android users should be able to avoid being affected by:
Essentially, the issue is that while Android checked that an app had the correct ID before granting it special privileges, it failed to check that the ID was in fact valid and not forged. As reported to the BBC, the researchers liken it to a visitor flashing his valid-looking badge to a security guard, but the guard failing to call the employer of that visitor to verify he is who he says he is. “Fake ID” is concerning because no action or approval is required of the device owner and any actions taken are hidden. In one example, the faked certification signature could be exploited by an app to impersonate Google Wallet to obtain payment data. The flaw is said to affect Android from the January 2010 release of 2.1 up to Android 4.3.
For in-depth technical details on how the exploits work, see Bluebox Lab’s post here.
Does this affect the LastPass Android app?
If you do not install apps from untrusted sources, you're likely safe. Google has scanned all of the apps in the Google Play store, and confirmed they have not seen anyone attempt to exploit this flaw to date. Since the flaw has just been released, it is unlikely that any malware has been written to take advantage of it yet.
Because it can be used to exploit this flaw, we have disabled the Adobe Flash plugin from loading in the LastPass browser, and have issued an update to our app. This affects only Android 4.3 and earlier, since Android 4.4 and later does not include Flash, and is therefore not susceptible to this bug. Even if a malicious app were to gain control of the device, all it would be able to get from LastPass would be a highly encrypted, unusable blob of data. Disabling offline access in the LastPass app’s preferences would also prevent this blob from being stored locally.
Advice on actions to take:
While this flaw is serious, most Android users should be able to avoid being affected by:
- Only downloading apps from the Google Play Store - apps downloaded from outside the store are not regulated by the app store policies.
- Avoiding untrusted apps - only download apps published by companies you know and trust.
- Removing unused or untrusted apps from your devices.
- Updating your phone to the latest Android version available with this issue patched.
