A new Flaw in Android has been Discovered: It is being termed as FakeID, and affects all phones with an Android Version between 2.1 and 4.4, which means that this flaw affects upto 82.9% of All Android Devices.
Your Android Device relies on Certificates, to only allow certain Apps for accessing other Apps, or the Android System itself. Basically, by exploiting the Fake ID Vulnerability, an App can act as if it has the necessary credentials, which results in it getting access to all Apps and the Android System, giving it potential for introducing malicious Code into the System.
“There are “parent certificates” and “child certificates”, which are checked against one another upon installation to ensure they match up and the app is trusted. The parent, usually handed down by the original software creator, effectively proves the child is worthy of being trusted, as part of what is known as the “certificate chain”.
“For instance, any app that contains a parent certificate from Adobe Systems is allowed to launch a webview plugin, which is used to load HTML code in apps, in all other applications.
So an attacker could create a new certificate that appeared to have been issued by Adobe and merge it with the child certificate of a malicious application. That bad app would then get all the permissions Adobe software would without the user being alerted.”
The more scarier part? An Application could in the same way get all the priveleges of Google Wallet, and put your Money at risk.
The Vulnerability was discovered by Bluebox Labs. and is said to be patched in Android Kitkat. It is scary to see that such a bug has existed for so long in Android. The fact of the matter is that, 82.9% of Android users still aren’t on Kitkat, and are therefore Vulnerable. What do you think of Fake ID?