Most of the angst and controversy surrounding Google’s decision to remotely erase a benign application from a couple of hundred Android phones recently has centered just on the fact that Google has that ability–as well as the ability to remotely install apps. But, as one security expert says, that may be a minor piece of the puzzle.
The way that the Android remote removal and install functions work is that when an Android user chooses to install an application from the Android Market, the phone sends a message to a remote Google server. That server then sends a special message to the GTalkService on the phone, telling it to download the application and install it. The missing element in all of this is the fact that this operation is done over SSL, a protocol that has been shown to be vulnerable to a number of attacks, including man-in-the-middle and certificate falsification attacks.
As Nate Lawson, founder of Root Labs and an expert on cryptography and low-level security design and analysis, points out, this could be a serious problem. SSL was essentially meant to provide a secure transport layer between two given points. But the nature of the Internet and mobile networks today is such that virtually no transaction involves just two machines.
“Even if the apps were stored on a single Google server, they are
still compiled and signed on other systems. Anywhere along that
production chain, a compromise could lead to apps being trojaned and
surreptitiously pushed to many Android phones,” Lawson wrote in an analysis of the Android model. “Android does provide some security in its code signing model. The
developer’s signature on the .apk is basically a JAR signature. The hash
of the APK cert is used to determine if a new app can access the same
data as the previous app since it determines which UID an app gets.
However, this only protects data created by existing apps from being
accessed by other apps that are not signed with the same key. It also
doesn’t say anything about the legitimacy of the code since the
developer signs it themselves, often with a self-signed cert.”
That last point is part of a larger problem with the Android Market and other such mobile app stores: malicious, flawed or faulty applications can slip through the cracks. In the case of the Android Market, there is no approval process, a la the iTunes App Store, requiring developers to submit their code for approval before it’s posted for download. Developers can simply submit their apps and they’ll appear in the Market within a few minutes.
As security researcher Tyler Shields of Veracode has shown with his txsBBSPY application, these app stores are a major weak point in the mobile ecosystem.
“App stores have good and bad things about them. Everything is in one
place, which is nice. But the negative is that you have one point of
distribution for potential threats,” Shields said. “If I can get past a
single wall, I can potentially get lots of downloads very rapidly. How
do users know the dangerous apps from the safe ones in the app store?”