Expert Comments: Major Android Security Leak

By   ISBuzz Team
Writer , Information Security Buzz | Dec 05, 2022 09:21 am PST

Please see below comments for your consideration regarding the world’s largest Android smartphone manufacturers – Samsung, LG, Xiaomi and Mediatech – having been left vulnerable to malicious apps with system-level privileges, following the leaking of their platform-signing keys:

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Ivan Wallis
Ivan Wallis , Global Architect
December 5, 2022 5:26 pm

This is a great example that showcases the lack of proper security controls over code signing certificates, in particular the signing keys for the Android platform. These certificate leaks are exactly related to this, where these vendor certificates made it into the wild, allowing for the opportunity for misuse and the potential to sign malicious android applications masquerading as certain “vendors”, similar to Solarwinds. Bad actors can essentially gain the same permissions as of the core service. The lack of the who/what/where/when around code signing makes it difficult to know the impact of a breach, because that private key could be anywhere. At this point it must be considered a full compromise of the code signing environment and key/certificate rotation must happen immediately.

Last edited 1 year ago by Ivan.Wallis
Tony Hadfield
Tony Hadfield , Director Solutions Architect
December 5, 2022 5:22 pm

This is a great example of what happens when organizations sign code without a plan to manage code signing keys. If they keys fall into the hands of an attacker it can lead to catastrophic breaches. The only way to prevent this kind of problem is to have an auditable, ‘who/what/where’ solution: how do you control signing keys, where are they stored, who has access to them, and which kind of code gets signed? You need this information to protect your keys and also respond quickly to a breach by rotating your public and private keys.

Last edited 1 year ago by Tony Hadfield

Recent Posts

Would love your thoughts, please comment.x