Researchers at the firm Bluebox Security said that Android verifies mobile applications using the Apache Harmony module. This module has a flaw in it.
The vulnerability affects devices running Android versions 2.1 to 4.4.
According to Bluebox, Apache Harmony affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications.
Application signatures are the basis of the Android application trust model and link different applications with a reputable certificate authority.
Mobile application signatures on Android are secured using a Public Key Infrastructure (PKI) with certificate authorities.
But the package installer component of older versions of Android do not attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates.
This means that a hacker can build a certificate and claim it has been issued by another identity, and the Android cryptographic code will not check.
If a hacker faked an Adobe Systems certificate vulnerable versions of Android will treat the application as if it was actually signed by Adobe.
It would give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual ‘sandbox’ environments.
Apache Harmony was abandoned in 2011 and was supposed to offer an open source alternative to Oracle’s Java technology. Google turned to Harmony as an alternative means of supporting Java after failing to strike a deal with Oracle to license Java.
Google continued to use Android libraries that were based on Harmony code even after the project was abandoned.
Google said that it is working with Bluebox to fix the vulnerability and has quickly issued a patch that was distributed to Android partners.