“Fake ID has been resident in Android from version 2.1 to 4.4, although it was fixed in April as part of the latest update, Android KitKat. Millions of devices could still be at risk, though, as Google’s own figures show that 82.1% of Android users are running an older version.”
So to give little background on how this vulnerability works, each app is given a digital signature that determines who can update it, and what the app can do on your phone. To get this signature, apps use something called “Identity certificates” these verify that the right people are in control of the software.
There are two types of these identity certificates: The parent certificate, and the child certificate. The parent certificate is handed down by the software creator, and is used to prove the app with the child certificate can be trusted. This process is called the certificate chain.
Versions 4.4 of Android, and those before it did not have adequate checks, to confirm the validity of the child certificate. This makes it possible to create a child certificate that claims to have been issued from a difference source that it has.
For example an app from Adobe that has been authorized, this gives permissions to launch a webview plugin, which can load HTML code within the app. Someone could create a certificate which stated it was from adobe, then by merging it with a less than benign app, that app gets all the same permissions an authorized adobe app would possess, all without the user being notified.
Google has stated that it’s patched this issue, but to take advantage of this, we’d suggest updating your android as soon as possible. Or being especially careful what apps you install.
Before you speak to an agency call us now
If you want to get a true return on your investment, you need to make your business a digital product business, not just turn out digital products.
We have the know-how, the process and the experience to get you there.
Get in touch at at +44 (0) 203 858 0085 or hello@nimblelondon.com