{"id":2074,"date":"2014-08-14T14:35:32","date_gmt":"2014-08-14T14:35:32","guid":{"rendered":"http:\/\/2b3.analogman.org\/?p=2074"},"modified":"2015-01-15T23:24:33","modified_gmt":"2015-01-15T23:24:33","slug":"a-problem-with-android-fake-id-vulnerability-fix-it-asap","status":"publish","type":"post","link":"https:\/\/www.2bridgestech.com\/?p=2074","title":{"rendered":"A Problem with Android : \u201cFake ID\u201d Vulnerability Fix it ASAP"},"content":{"rendered":"
by 2bridges CIO, Ken Lombardi<\/h5>\n

Don\u2019t worry. The sky is not falling, but after we heard of this problem 2bridges Technologies<\/a><\/strong>thought it was a important enough that we write a blog post to make our clients aware.<\/p>\n

Due to the level of access to your personal information this exploit allows it is a good idea to patch this on your android device as soon as possible. As our mobile devices become more and more enmeshed in our work and personal lives lots of information gets stored on these phones and tablets, information that probably should not find it\u2019s way into criminal hands. 2bridges Technologies<\/a><\/strong> feels that your data should remain yours.<\/p>\n

Specifically this vulnerability allows malicious apps to masquerade as good apps and helps them (the bad guys) past the checks in place to prevent illegitimate apps from being installed on your device (These are not the droids you are looking for). Personal information can be gathered or even complete control of your device can be achieved by the bad guys simply through impersonating a security management feature baked into your device.<\/p>\n

Here is what Bluebox Security<\/a> (authors of an android security app and host to many other services) has to say:<\/p>\n

\u201cUsers of devices from specific vendors that include device administration extensions are at risk for a partial or full device compromise by malware. The 3LM device extensions (temporarily owned by Motorola and Google) are present in various HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices \u2013 and are susceptible to the vulnerability as well.<\/p>\n

Other devices and applications that depend upon the presence of specific signatures to authenticate an application may also be vulnerable. Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability.\u201d<\/p><\/blockquote>\n

So. What this means is that there are two methods used to exploit this vulnerability and even if you are running KitKat (android 4.4), which had had the \u201cAdobe System web view plugin privilege escalation\u201d exploit removed \u2013 one of the methods (verified signature chains) is still available for bad guys to leverage on your android equipment.<\/p>\n

 <\/p>\n

\n

<\/h2>\n

Exploration \u2013 do you have this vulnerability?\"Bluebox_securityScan\"<\/h2>\n

It is not difficult to determine if your devices are vulnerable to these exploits. Bluebox Security<\/a>\u00a0offers an application that will make this very simple, the \u201cBluebox Security Scanner\u201d.<\/p>\n

This is available on the Google Play Store. https:\/\/play.google.com\/store\/apps\/details?id=com.bluebox.labs.onerootscanner&hl=en<\/a> and is free.<\/p>\n

Once you install and run Bluebox it will look over your device and give you a screen with a bit of information on it. I want to focus on the \u201cSecurity Patch Status\u201d container, in particular, the Bug 13678484 (FakeID): item. The screenshot show that the device being tested is Patched. If yours shows \u2018Unpatched\u2019 then you should take steps to patch it.<\/p>\n

Sadly the directions I have are only for rooted devices. If you haven\u2019t rooted your device you should call your vendor, Verizon, T-Mobile, etc. and ask them how to obviate the risk of this exploit.<\/em><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

<\/h2>\n

 <\/p>\n

 <\/p>\n

\n

<\/h2>\n

For rooted users only \u2013 Patching\"\"<\/h2>\n

We will be using an application available through XDA forums to install a patch for this bug.<\/p>\n

Before we move to the that step we need to make a temporary change to our security settings in order to allow us to install that application which doesn\u2019t come directly from the Google Play Store.<\/p>\n

You need to go to your Settings or System Settings menu and navigate to Security and then select that menu item. Now find the \u201cUnknown Sources [ ]\u201d<\/strong> choice and check that box.<\/p>\n

Remember where you saw this selection because when we are done we want to go back and uncheck that box.<\/p>\n

Return to the home screen or use your app selector to choose your browser. Go to the url below.<\/em><\/p>\n

http:\/\/forum.xda-developers.com\/xposed\/xposed-installer-versions-changelog-t2714053<\/a><\/p>\n

We are going to install this exposed framework application to enable us to patch the exploit.<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

\n

 <\/p>\n

Download:<\/h2>\n

You can download the installer from http:\/\/dl.xposed.info\/latest.apk<\/a><\/p>\n

\n

Quoting from XDA:<\/h2>\n

First step for everything you do: Create a nandroid backup and make sure you know how to restore it!<\/p>\n

I\u2019m not responsible for anything you do with your phone\/tablet\/rice cooker.<\/p>\n

There is also the risk to soft-brick your device. In such a case, see below for ways to recover from it.<\/p>\n

Installation of the framework<\/h2>\n
    \n
  1. Download the Xposed Installer APK and install it<\/li>\n
  2. Launch the Xposed Installer, go to the \u201cFramework\u201d section and click on<\/li>\n
  3. \u201cInstall\/Update\u201d<\/li>\n
  4. Reboot<\/li>\n
  5. Done!<\/li>\n<\/ol>\n

    You can verify this by starting the Xposed Installer again and making sure that the numbers in the \u201cFramework\u201d section<\/strong> are Green.<\/strong><\/p><\/blockquote>\n

    After you click the link above you will need to select an application to download the Xposed Installer. If you have more than one browser \u2013 select the one you like the best.<\/p>\n

    After the download begins you will see a downward pointing arrow at the top of your screen (probably the left side) showing you that the file is being download. Now enter your notification area (I pull the screen down from the top \u2013 YMMV, Your Mileage May Vary) and click on the file.<\/p>\n

    It should say something along the lines of:<\/p>\n

    \u2026
    \nDownload Complete
    \nde.robu.android.xposed.installer_V32_de4f0d.apk
    \n\u2026<\/p><\/blockquote>\n

    \n
    \n

    Click on that and install it. Then open the app<\/strong><\/p>\n

    \"xposed_openingpage\"<\/p>\n<\/div>\n

    \n

    Select framework \u2013 install and reboot.<\/strong><\/p>\n

    \"xposed_frameworkreboot\"<\/p>\n<\/div>\n

     <\/p>\n<\/div>\n

     <\/p>\n

    \n

    <\/h2>\n

    After Rebooting<\/h2>\n

    After rebooting and restarting xposed-installer you will need to download and install a module that will actually do the patching of the exploit. The module is called \u201cFake ID fix\u201d.<\/p>\n

    Installation of the FakeID module<\/h2>\n
    \n
    \n

    Download Fake ID fix module by starting Xposed Installer and selecting the Download section.<\/strong><\/p>\n

    \"\"<\/p>\n<\/div>\n

    \n

    Click on the magnifying glass and enter \u201cFake\u201d<\/strong><\/p>\n

    \"\"<\/p>\n<\/div>\n

     <\/p>\n<\/div>\n

     <\/p>\n

    \n
    \n

    The Fake ID fix module should be at the top of the filtered list of modules \u2013 click it.
    \nInstall the module \u2013 like any other application \u2013 the source link is down near the bottom of the module description page<\/strong><\/p>\n

    \"xposed_FakeIDfix_moduleDescription\"<\/p>\n<\/div>\n

    \n

    Re-enter Xposed and select Modules \u2013 Enable the newly installed FakeID fix module by checking the checkbox<\/strong><\/p>\n

    \"\"
    \n \n<\/div>\n<\/div>\n

     <\/p>\n

     <\/p>\n

    \n

    <\/h2>\n

    Reboot (again)\"\"<\/h2>\n

    You should run the Bluebox Security Scanner again and insure that you are now patched.<\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

    \n

    If you have any questions about this post or you are uncomfortable with this process please give us a call at 2bridges Technologies<\/a> (253) 292-9989 and we will be happy to help you.<\/h3>\n","protected":false},"excerpt":{"rendered":"

    by 2bridges CIO, Ken Lombardi Don\u2019t worry. The sky is not falling, but after we heard of this problem 2bridges Technologiesthought it was a important enough that we write a blog post to make our clients aware. Due to the level of access to your personal information this exploit allows it is a good idea to patch this on your android device as soon as possible. As our mobile devices […]<\/p>\n","protected":false},"author":1,"featured_media":2166,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[191,189,190,192],"tags":[],"class_list":["post-2074","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-important","category-in-the-news","category-technology"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/www.2bridgestech.com\/wp-content\/uploads\/2015\/01\/blog-fix_asap.png","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5AwLi-xs","_links":{"self":[{"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=\/wp\/v2\/posts\/2074","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2074"}],"version-history":[{"count":80,"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=\/wp\/v2\/posts\/2074\/revisions"}],"predecessor-version":[{"id":2164,"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=\/wp\/v2\/posts\/2074\/revisions\/2164"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=\/wp\/v2\/media\/2166"}],"wp:attachment":[{"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.2bridgestech.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}