updated 09:59 am EDT, Tue July 9, 2013
Fix for four-year vulnerability sent to Android OEMs
Google has plugged a serious security hole in Android, one that potentially allowed for the installation of malware in an APK without breaking an app's cryptographic signature. The flaw, discovered in February, reported to Google and publicly announced last week by mobile security research firm Bluebox Labs, affects versions of Android as far back as version 1.6.
Android apps contain a cryptographic signature which proves to the device's kernel that it has not been altered or otherwise tampered by other parties. As the vulnerability allows the app to be changed without altering the signature, Android will believe it is unmodified, and will run the app as it normally would.
Speaking to ZDNet, Android communications manager Gina Scigliano confirmed "that a patch has been provided to our partners - some OEMs, like Samsung, are already shipping the fix to the Android devices." Considering the typical schedule for updates from manufacturers via carriers, this could be a quick fix for the latest devices, while older generations of smartphone or tablet may end up waiting a considerable amount of time for the update.
While the flaw is potentially serious, it does not appear to have affected apps in general. Scigliant advised that Google has "not seen any evidence of explotation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue, and Verify Apps provides protection for Android users who download apps to their devices outside of Play."