Tuesday, November 27, 2012

Android 4.2 Security: App Signatures

It seems to be common knowledge now among security professionals that the Google Play Store is infiltrated with malware.  In an attempt to control the malware surge, Google is stepping up its efforts to clean house via security updates in 4.2.

One central mechanism appears to be signature-based recognition of apk files.  When an apk is loaded on a device, the app signature (most likely just a file hash) is uploaded to Google's servers for a reputation check.  It's cross-checked against Google's list of known and reported malware, and if found to be bad, the server sends the response to the Android Package Installer to prevent installation.  If the reputation states that the app requires suspicious permissions, it'll ask you to confirm that you're comfortable with installing it and list what access it's requesting.  ComputerWorld has a more in-depth explanation, for interested parties.  The only downside to all this is that unless rooted, we all have to wait on our carriers to release the update through their vetting marketing process.

This highlights another concept that's rapidly spreading across anyone getting into the software security space: leveraging the user base to protect the cloud.  I'll post another note expanding on that concept soon.