The Google Play store has been an Eden for hackers wanting to get malicious code onto Android devices. A number of things made the marketplace too tempting for attackers to resist, including the open source nature of the operating system, lax vetting of developers, and the ability to modify code in runtime by pushing app updates from outside the store.
Recently, Google took steps to remedy that situation with important policy changes that prohibit developers from sending users who download apps from Google Play to another site outside of the marketplace for updates. The policy change with the most security implications reads: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.
APKs are the Android application package file used by Google Play to download or update applications. Hackers have been able to successfully abuse them in a number of arenas, including targeted attacks against Tibetans who exchange app updates via APKs over email attachments because of limited access to the Internet.
“The changes are long overdue,” said Jon Oberheide, cofounder and CTO of Duo Security, a hosted two-factor authentication service for mobile devices. “We first pointed out the security risk of applications downloading new executable code at runtime back in 2009 with a proof of concept app that masqueraded as a Twilight Eclipse app and silently polled at a remote server for exploit payloads to pull down to root the device at an attacker’s whim.”
For the time being, these are paper changes on the part of Google, setting the stage for an automated mechanism down the line. That along with mandatory code-signing, which also makes traditional memory-corruption exploits difficult, would someday bring Google in line with Apple’s submission process.
Apple is much more of a walled garden when it comes to application development and code submission for the App Store. Users must present valid identification, be it a driver’s license or articles of incorporation for a business developers’ license. In Google Play, only a credit card is required to obtain a license. While both Apple and Google do some type of static code review, Apple requires all code be signed, unlike Google. All of these factors have surely cut into the effectiveness of Bouncer, Google’s application malware scanner.
“Eliminating the ability for an app to change its behavior based on external input or runtime environments (the more general problem beyond pulling down new executable code), is much more difficult,” Oberheide said. “Removing the ability to pull down executable code definitely raises the bar and is an additional step toward implementing mandatory code signing, similar to iOS. Even with mandatory code signing, as Apple openly admits, preventing an app from changing its behavior at runtime is near impossible from a theoretical point of view.
“Performing any sort of effective static or dynamic analysis along the lines of Bouncer is intractable if the application you’re analyzing will pull down its real code and exhibit malicious behaviors at some arbitrary point in the future beyond what Bouncer will catch.”