Expert Comments: Major Android Security Leak

By   ISBuzz Staff
Editorial Team , Information Security Buzz | Dec 05, 2022 09:21 am PST

Please see below comments for your consideration regarding the world’s largest Android smartphone manufacturers – Samsung, LG, Xiaomi and Mediatech – having been left vulnerable to malicious apps with system-level privileges, following the leaking of their platform-signing keys:

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ivan Wallis
Ivan Wallis , Global Architect
InfoSec Expert
December 5, 2022 5:26 pm

This is a great example that showcases the lack of proper security controls over code signing certificates, in particular the signing keys for the Android platform. These certificate leaks are exactly related to this, where these vendor certificates made it into the wild, allowing for the opportunity for misuse and the potential to sign malicious android applications masquerading as certain “vendors”, similar to Solarwinds. Bad actors can essentially gain the same permissions as of the core service. The lack of the who/what/where/when around code signing makes it difficult to know the impact of a breach, because that private key could be anywhere. At this point it must be considered a full compromise of the code signing environment and key/certificate rotation must happen immediately.

Last edited 2 months ago by Ivan.Wallis
Tony Hadfield
Tony Hadfield , Director Solutions Architect
InfoSec Expert
December 5, 2022 5:22 pm

This is a great example of what happens when organizations sign code without a plan to manage code signing keys. If they keys fall into the hands of an attacker it can lead to catastrophic breaches. The only way to prevent this kind of problem is to have an auditable, ‘who/what/where’ solution: how do you control signing keys, where are they stored, who has access to them, and which kind of code gets signed? You need this information to protect your keys and also respond quickly to a breach by rotating your public and private keys.

Last edited 2 months ago by Tony Hadfield

Recent Posts

2
0
Would love your thoughts, please comment.x
()
x