This week, a fairly serious topic has been haunting the Android community, coming from the mobile security company Bluebox, which claimed to have discovered a serious bug that would allow any device running Android, from version 1.6 upward, to be completely exposed to any hacker , allowing your passwords, calls and texts to be in their complete control. It sounds like a nightmare, and to be honest, it kind of is. Android has always been the more open alternative when it came to mobile operating systems, but stuff like this has always been on the mind of companies or individuals that rely on security and safety for their living. Is Android secure? Being so open comes with risks, although to be fair, this problem wouldn’t even be discovered if it wasn’t open to begin with, so there’s that. Still, these sorts of scandals rarely break on the competition, making it seem fairly attractive in comparison.
This hack, more correctly referred to as a bug or exploit, works due to a flaw on how Android apps are verified by the operating system, allowing hackers to change the signature of an app to make it seem absolutely and completely safe, even if it had known malicious software embedded in it. Scary stuff. But what’s even scarier is the fact that even though this exploit has been discovered, most of the affected devices will not get a patch or fix it. This is the same problem with the fragmentation of Android and the difficulty in bringing every Android device up to date, but while being left out to dry and forced to use an outdated version of Android is already terrible to begin with, especially when you look at iOS’s update model, being left with well-known and well-documented exploits on your device is just a bit much, but that’s what will probably end up happening with most devices.
But what’s the real deal here? Is this as bad as it sounds? Well, yes… and no. This is not great news, but the reality is that, if your device is rooted or if you’re using a custom ROM, you already have much greater security issues to worry about. Granting root to a malicious application would allow any of the effects of this exploit to begin with, and a ROM with malicious code embedded in it or even custom optimizations would already result in the chance of something like this being possible, so I wouldn’t fret too much if you happen to share this scenario. Also, if you’re running a stock ROM on a stock device, and don’t have the “Allow apps from unknown sources to be installed” option enabled in your Settings, an option which is required to sideload apps, this also will not affect you at all. So, if you’re worried about this, I’d disable that option if I were you.
Still, this covers a fairly large portion of the Android userbase: all which is really required is that you’re running a stock device and are allowing sideloaded apps to be installed. Is anything being done to protect you? Well, yes. The issue has been fixed by Google. The bad news is that unless you’re using one of the few devices that will get an update in the near future (or unless you’re using custom ROMs, and have a fairly active community), you will not get the fix. Google has also taken measures to make the Play Store more secure against this exploit, by not allowing apps containing the exploit to be uploaded to the service, which means that any app you download off the Play Store will be absolutely safe.
That’s a good start, but it does not cover alternative app stores like Amazon’s, and obviously does not cover the hordes of third-party apps developed in places like XDA and so on. Those will still be a gamble, and there’s really not much you can do about it, except be smart and keep from downloading any apps from outside the Play Store, and disabling the option to sideload apps at all, if you’re being really careful. Another way you can protect yourself is, ironically, to root your device and install an updated ROM like CyanogenMod, since the latest releases already include a fix for the exploit. So, with that in mind, be careful about what you install in your device if you’re not protected. If it was dangerous before, with this new exploit installing unknown applications is more dangerous than ever. Be safe, and as usual let us know if you have any questions or comments in the section below!