Security is an expensive hassle —
The cryptographic key proves an update is legit, assuming your OEM doesn’t lose it.
A developer’s cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the signing key of the old app on your phone needs to match the key of the update you’re installing. The matching keys ensure the update actually comes from the company that originally made your app and isn’t some malicious hijacking plot. If a developer’s signing key got leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they are legit.
On Android, the app-updating process isn’t just for apps downloaded from an app store, you can also update bundled-in system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled-in Android system apps have access to much more powerful and invasive permissions and aren’t subject to the usual Play Store limitations (this is why Facebook always pays to be a bundled app). If a third-party developer ever lost their signing key, it would be bad. If an Android OEM ever lost their system app signing key, it would be really, really bad.
Guess what has happened! Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.
These companies somehow had their signing keys leaked to outsiders, and now you can’t trust that apps that claim to be from these companies are really from them. To make matters worse, the “platform certificate keys” that they lost have some serious permissions. To quote the AVPI post:
A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id—android.uid.system—and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.
Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn’t quite root access, but it’s close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.
