Feeds

Another zombie 'bogus app' bug shambles out of Android

KitKat is safe, older Androids susceptible to .ZIP-derived attack

Beginner's guide to SSL certificates

Jay Freeman, aka @saurik, has detailed another Zip implementation bug in pre-4.4 (Kit Kat) versions of Android which, similarly to the notorious APK vulnerability exposed earlier this year, opens a hole that malware can sneak through.

Freeman – whose previous credentials include security analysis of Google Glass and uncovering the dodginess of the “iMessage for Android” app – has written in a blog post that he uncovered the extra vulnerability in June, but waited until Android 4.4 (with a fix) was shipping.

Freeman's dense post is here, and is unpicked and explained by Sophos' Paul Ducklin at Naked Security here.

In brief, the extra APK vulnerability offered a path for an attacker to exploit the way Android used Zip file headers to verify the software. As Ducklin explains, Zip still carries an obsolete of its history around with it: lots of filename redundancy in case files had to be split across multiple floppy (remember those?) disks. To help a program navigate a file, the header includes a field for filename length – this lets an extractor navigate to where the file data is, by skipping the header.

As Ducklin writes, the problem is this: “The Java code in Android 4.3 and earlier, that extracts the file data to verify it, uses the filename length from the central directory. But the C code that extracts the file to install and execute it uses the filename length in the local header.”

An attacker could then take a verified app, add their malware, and modify the header length the C-code loader uses to point not to the legitimate app, but to the malware. Ducklin's illustration shows this simply:

Paul Ducklin's illustration of the APK vulnerability

Image: Paul Ducklin, Naked Security

As Saurik writes: “The central directory includes a file offset for each local header, so that once the Java code has finished verifying a file, it can jump directly to the next one, thus avoiding the local header data that would cause it to skip forward incorrectly. The imposter data, squeezed between the legitimate file and the next local header, is simply ignored.”

The fix in Kit Kat is to force Java to look at the same data as the C-loader so that a discrepancy is identified. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.