Jul 30, 2014

How does Android “Fake ID” vulnerability compromise security and what can be done to prevent it?

The latest Android vulnerability has been called Fake ID, and as I understand it fools the OS by pretending to be a different app. How does it do that, and what can I do to prevent it?


This exploit took advantage of a vulnerability in the way Android checks the certificates of applications, and allows a fake certificate (or “fake ID”) to be used to grant permissions that an app like Flash or Gmail would have when the permissions should be restricted. This can allow malware to more or less take over the entire device. There is no real fix for it on the use end, other than to stick to Google Play and only install apps with a large user base from trusted developers. Google has issued updates and made changes to Play to try to keep out malicious apps that use the exploit. This is no guarantee of complete mitigation of this risk, but it should help. 

Answer this