CUPB/M.

Tech-CS/SET/CST/2013-14/15

CBS.509

Android Vulnerabilities to Impersonate

Trusted Applications
Sanju
M.Tech. Cyber Security
Centre for computer science & Technology
Central University of Punjab, Bathinda (Punjab)
Abstract- the Linux-based Android operating system
specially designed for touch screen mobile devices are
becoming more and more popular. Android operating
system is widely used for tablet devices. This operating
system is a best platform for devices with larger screen
sizes. The Android system programs are usually
efficient and secure in memory management. However,
there has been a few security issues reported that show
Androids insufficient protection to the kernel. In this
paper, we will study the recent vulnerabilities of the
Android operating system and what be the implications
of these vulnerabilities to the user and users data.
Keywords: Android, Kernel, GPS, AOSP, OHA, Trojan,
Vulnerability

I.
INTRODUCTION
Android is described as a mobile operating system,
initially developed by Android Inc. Android was sold
to Google in 2005. Android is based on a modified
Linux 2.6 kernel. Google, as well as other members
of the Open Handset Alliance (OHA) collaborated on
Android (design, development, distribution).
Currently, the Android Open Source Project (AOSP)
is governing the Android maintenance and
development cycle. Android operating system is
primarily designed for smartphones and tablets.
Because Android is an open source it has become the
fastest growing mobile operating system. Due to its
open nature it has become favourite for many
consumers and developers. Moreover software
developers can easily modify and add enhanced
feature in it to meet the latest requirements of the
mobile technology. Android users download more
than 1.5 billion applications and games from Google
Play each month [6]. Due to Its Powerful
development framework users as well software
developers are able to create their own applications
for wide range of devices. Some of the key features
of Android operating system are: Application
Framework, Dalvik virtual machine, integrated
browser, Optimized Graphics, SQLite, Media

Support, GSM Technology, Bluetooth, Edge, 3G, WiFi, Camera and GPS etc. It provide JAVA
programming language for application development.
A. DIFFERENT SECURITY FEATURES OF
ANDROID OPERATING SYSTEM
Security is always the main concern of user while
moving to any platform. Android Operating system
should ensure the security of users, user's data,
applications, the device, and the network. To achieve the
security of these components Android provides these key
security features:
Security at the Operating System level through the
Linux kernel: Android operating system is based on
Linux kernel. Due to its open source nature it is
researched, attacked and fixed by many research
developers. So Linux has become stable and secure
kernel. Linux kernel provides Android with several key
security features including:

A user-based permissions model: In the Linux file

system each file and directories has three user based
permissions. Owner, group, other users.
Owner -The Owner permissions apply only the owner
of the file or directory.
Group-The group permissions apply only to the group
that has been assigned to the file or directory.
Other users-The other Users permissions apply to all
other users on the system.
Each file or directory has three basic permission types:
Read- The read permission means user's ability to read
the contents of the file.
Write- write permissions mean's user's ability to write
or edit a file or directory.
Execute -The execute permission means user's ability
to execute a file or view the contents of a directory.
This permission model ensures that proper security is
maintained while accessing android files.

CUPB/M.Tech-CS/SET/CST/2013-14/15

CBS.509

a. Process isolation: The Android operating

system assigns a unique user ID (UID) to each
Android application and runs it as a separate process.
b. Extensible mechanism for secure IPC.
c. The ability to remove unnecessary and
insecure parts of the kernel.

mechanism to allow or restrict application access.

By default, Android applications have no
permissions granted, making them safe by not
allowing them to gain access to protected APIs.
Some of the protected APIs include: Camera
functions, Location data (GPS), Bluetooth
functions, Telephony functions, SMS/MMS
functions and Network or data connections. These
resources are accessed only through the operating
system.
In spite of so many security features. Android
operating system is not completely secure. Users are
still in the eye of attackers. Because of the
vulnerabilities found in the operating system, which
attackers are ready to exploit.
II.
SOME
OF
THE
RECENT
VULNERABILITIES
OF
ANDROID
OPERATING SYSTEM

2) Application sandbox for all applications: A

sandbox is a security mechanism for separating
running programs and limiting the resources of
the device to application. It is often used to
execute untested code or programs from untrusted
users and untrusted websites. By using
sandboxing technique limited access to devices
resources is given. Therefore security of the
system is increased. Sandboxing technology is
frequently used to test unverified programs which
may contain a virus or other malware code,
without allowing the software or code to harm the
host device. With the help of sandbox untrusted
program access only those resources of the device
for which permission is granted. Permission is
denied if it tries to access other resources of the
device.

A. FAKE ID VULNERABILITY
Every Android application has its own unique
identity, typically inherited from the corporate
developers identity. Recently a new vulnerability in
Android is discovered, which allows these identities
to be copied and used for nefarious purposes.
Dubbed Fake ID, the vulnerability allows
malicious applications to impersonate specially
recognized trusted applications without any user
notification. This can result in a wide spectrum of
consequences. For example, the vulnerability can be
used by malware to escape the normal application
sandbox and take one or more malicious actions:
insert a Trojan horse into an application by
impersonating Adobe Systems; gain access to NFC
financial and payment data by impersonating Google
Wallet; or take full management control of the entire
device by impersonating 3LM [3].
Implications: This is a widespread vulnerability
dating back to the January 2010 release of Android
2.1 and affecting all devices that are not patched for
Google bug 13678484, disclosed to Google and
released for patching in April 2014. All devices
prior to Android 4.4 (KitKat) are vulnerable to
the Adobe System webview plugin privilege
escalation, which allows a malicious application to
inject Trojan horse code (in the form of a webview
plugin) into other apps, which leads to taking
control of the entire app, all of the appss data, and
being able to do anything the app is allowed to do.

3) Secure inter process communication: Some of the

applications still use traditional Linux techniques
such as network sockets, file system and shared
files for inter-process communication. But
android operating system also provides new
mechanism for IPC such as Binder, Services,
Intents and Content Providers. All these
mechanism allows developers to verify the
identity of application and also used to set the
security policies.
4) Application signing: In order to install and run
applications on Android OS they must be digitally
signed. With this mechanism Android OS
identifying the author of an application. This
feature also used to establishing trust relationship
between applications. If an application is not
signed properly then it cannot be installed on the
emulator also. Some standard tools such as Key
tool and Jar signer are used to generate keys and
sign application .apk files.
5) Application-defined
and
user-granted
permissions: Permissions are an Android security

CUPB/M.Tech-CS/SET/CST/2013-14/15

CBS.509

Android 4.4 is vulnerable to Fake ID, but not

specifically to the Adobe System webview plugin
due to a change in the webview component (the
switch from webkit to Chromium moved away
from the vulnerable Adobe-centric plugin code) [2].

Adobe Systems, and sign an application with a

certificate chain that contains a malicious identity
certificate and the Adobe Systems certificate. Upon
installation, the Android package installer will not
verify the claim of the malicious identity certificate,
and create a package signature that contains the
both certificates. This, in turn, tricks the certificatechecking code in the webview plugin manager
(who explicitly checks the chain for the Adobe
certificate) and allows the application to be granted
the special webview plugin privilege given to
Adobe Systems leading to a sandbox escape and
insertion of malicious code, in the form of a
webview plugin, into other applications.
B. Master Key Vulnerability:
Master Key vulnerability in Androids security model
that allows a hacker to modify APK code without
breaking an applications cryptographic signature, to
turn any legitimate application into a malicious
Trojan, completely unnoticed by the app store, the
phone, or the end user. This vulnerability, around at
least since the release of Android 1.6 [1]. Installation
of a Trojan application from the device manufacturer
can grant the application full access to Android
system and all applications currently installed. The
application then not only has the ability to read
arbitrary application data on the device (email, SMS
messages, documents, etc.), retrieve all stored
account & service passwords, it can essentially take
over the normal functioning of the phone and control
any function thereof (make arbitrary phone calls,
send arbitrary SMS messages, turn on the camera,
and record calls). Finally, and most unsettling, is the
potential for a hacker to take advantage of the
always-on, always-connected, and always-moving
(therefore hard-to-detect) nature of these zombie
mobile devices to create a botnet. Detail of the
vulnerability is released in February 2013 [2].
How it works: The vulnerability involves
discrepancies in how Android applications are
cryptographically verified & installed, allowing for
APK code modification without breaking the
cryptographic signature [4].

How it work: Android applications are typically

cryptographically signed by a single identity, via
the use of a PKI identity certificate. The use of
identity certificates to sign and verify data is
commonplace on the Internet, particularly for
HTTPS/SSL use in web browsers. As part of the
PKI standard, an identity certificate can have a
relationship with another identity certificate: a
parent certificate (issuer) can be used to verify
the child certificate. Android applications use the
same certificate signature concepts as SSL,
including full support for certificates that are issued
by other issuing parties (commonly referred to as a
certificate chain). Application signatures play an
important role in the Android security model. An
applications signature establishes who can update
the application, what applications can share its data,
etc. Certain permissions, used to get access to
functionality, are only usable by applications that
have the same signature as the permission creator.
On specific devices, applications with the signature
of the device manufacture, or trusted third parties,
are allowed to access the vendor-specific device
administration (MDM) extensions that allow for
silent management, configuration, and control of
the device [2].
This is an appropriate use of digital signatures in a
system that supports the notion of PKI digital
certificate identities. However, a vulnerability that
has been relatively present in all Android versions
since Android 2.1, which undermines the validity of
the signature system and breaks the PKI
fundamental operation. The Android package
installer makes no attempt to verify the authenticity
of a certificate chain; in other words, an identity can
claim to be issued by another identity, and the
Android cryptographic code will not verify the
claim (normally done by verifying the issuer
signature of the child certificate against the public
certificate of the issuer). For example, an attacker
can create a new digital identity certificate, forge a
claim that the identity certificate was issued by

All Android applications contain cryptographic

signatures, which Android uses to determine if the
app is legitimate and to verify that the app hasnt
been tampered with or modified. This vulnerability
makes it possible to change an applications code

CUPB/M.Tech-CS/SET/CST/2013-14/15
without affecting the cryptographic signature of the
application essentially allowing a malicious author
to trick Android into believing the app is unchanged
even if it has been [5].
III.
CONCLUSION
A vulnerability is not dangerous until it remain
hidden. But attackers are working day and night to
find those vulnerabilities and exploit them for
malicious
gain.
Followings
are
general
countermeasures against Android vulnerabilities:
Its important to download the apps only from the
Google Play Store and, even while downloading
from the play store, make sure that you verify the
author of the application before downloading it. Do
not install applications from untrusted sources or
other Android stores.
Google has already rolled out patches for this. Make
sure you update your mobile with the latest patches
available.
Running anti-malware software on your device.

CBS.509

[3]

[4]

[5]

[6]

[7]

REFERENCES
[1]

[2]

Constantin, L. (2014, July 29). android-vulnerabilityallows-malware-to-compromise-most-devices-and-apps.

Retrieved from www.pcworld.com:
http://www.pcworld.com/article/2459240/androidvulnerability-allows-malware-to-compromise-mostdevices-and-apps.html
Constantin, L. (2014, August 1). android-vulnerability-stilla-threat-to-many-devices-nearly-two-years-later.
Retrieved from www.pcworld.com:
http://www.pcworld.com/article/2460760/android-

vulnerability-still-a-threat-to-many-devices-nearly-twoyears-later.html
Forristal, J. (2014, July 29). android-fake-id-vulnerability.
Retrieved from www.bluebox.com:
https://bluebox.com/technical/android-fake-idvulnerability/
master-key-android-vulnerability-used-to-trojanizebanking-app. (2013, August 2). Retrieved from
blog.trendmicro.com:
http://blog.trendmicro.com/trendlabs-securityintelligence/master-key-android-vulnerability-used-totrojanize-banking-app/
Rohit. (2013, august 28). android-master-key-vulnerabilitypoc. Retrieved from www.resources.infosecinstitute.com:
http://resources.infosecinstitute.com/android-master-keyvulnerability-poc/
Singh, R. (2014). An Overview of Android Operating
System and Its Security . Int. Journal of Engineering
Research and Applications , 519-521.
threat-of-the-month-android-master-key-vulnerability.
(2013, September). Retrieved from
www.scmagazine.com:
http://www.scmagazine.com/threat-of-the-monthandroid-master-key-vulnerability/article/307403/