Signing keys for a Facebook Android app have been compromised

Tidio Live Chat Software - Add Tidio live chat software to your website in minutes. Contact visitors and turn them into happy customers. Enhance their experience and boost your sales. Get it for Free

WP Rocket - WordPress Caching Plugin

Must Read

Recently, there was an issue regarding the compromise of the cryptographic key used by the Facebook Android apps for signing in. As a result, third parties are spotted re-using the keys online. This has become a major drawback for Facebook because it could bring serious damage to the app users as well as to the app developers.

The security of the Android apps updates solely depends upon the secrecy of a given app’s signing key. The signing keys are based on cryptography and responsible for the apps’ security updates. Therefore if they fall into the wrong hands, there is a high chance of them being misused. Hence, the developers try to secure and guard their signing keys as much as possible.

Also Read

But this time, Facebook has failed to protect the crypto signature of one of its Free Basis apps. Artem Russakovskii, APK Mirror, and Android Police owner, found the problem and reported it to Facebook immediately. After that, the original app listing was removed from the Play Store and replaced with a new app using a different signing key. The company has not yet revealed the nature of the compromised key or the exact reason for the re-release of the app. This may put the users at risk because they might be using the old version of the app. Although Facebook claims that it released a new version of the app within 24 hours of Russakovskii’s report.

Issue regarding third-party involvement

Many sites, e. g. APK  Mirror host Android apps to download. The site gives access to the link of the because of several  reasons:

  • to mitigate geographic restrictions
  • to circumvent censorship
  • to provide a historical archive for comparison
  • to ease the rolling back updates etc.

Elegant Themes - The most popular WordPress theme in the world and the ultimate WordPress Page Builder. Get a 30-day money-back guarantee. Get it for Free

According to a Android Police report, they had spotted third party apps using a debug signing key which matched the key used by Facebook for its Free Basics Android app.

After they reported it to Facebook about the leaked key, the company verified it. They immediately issued a new version of the app, which the company claims it has prompted users to upgrade to from inside the old app. But Facebook has not yet published any details regarding it.

Since then, the listing for the Free Basics by the Facebook app has been pulled out of the Play store. They finally replaced it with a new listing that uses a new app signing key. An Android Police report says that the exact date of the app was de-listing is still not found, as the last Internet Archive backup of the listing was in July and the replacement app came on August 14th.

How do the signing keys work?

The developers sign the Android apps and give them a cryptographic signature that verifies it as legitimate, regardless of its source. However, the security depends upon how much the developers can secure their app’s signing key secret. But if the key is made public, anyone can sign an app that claims to be an update to their app, and the users might install it right over the real app. Therefore it possesses a major threat against security.

To ease the problem, Google had started allowed developers to store app signing keys. The “Google Play App Signing,” as it’s called, means that app keys can’t ever be lost and compromised keys can be “upgraded” to new keys. However, not all developers take advantage of this new service. If you follow Google’s recommendation and destroy your local copy of the key after migrating, you can no longer distribute apps with a single key outside the Play Store.

In many cases, it’s simpler for developers targeting multiple avenues of app distribution to manage signing keys themselves. (Android 9 Pie also supports a new “key rotation” feature  which securely verifies a lineage of signatures in case you need to change them, but it’ll be a while before every phone supports it.)

Suppose signing keys fall into the wrong hands. In that case, third parties can distribute maliciously modified versions of the app as updates on venues outside the Play Store, and potentially trick sites similar to APK Mirror that rely on signature verification. Someone can easily upload a fake app that looks like it was made by Facebook to a forum or trick less wary APK distribution sites into publishing it based on the verified app signature. Customers who stick to official sources like the Play Store should be safe, but folks used to sideloading apps or prompted to follow steps they don’t fully understand are at risk.

Also, note that any updates to the older Free Basics app delivered by the Play Store would still require the credentials for an account associated with the app’s Developer Console, you ned not to worry about downloading malware-laden versions from Google’s (now defunct) listing for the compromised app.

We’ve already spotted third-party apps using the Free Basics by Facebook’s signature being distributed in the wild, so the effective “exploit” which is presented by the compromised security key is actively being used. Although we provided Facebook with evidence regarding these third-party apps using the Free Basics signing key, the company maintains it has “seen no evidence of abuse.” Apparently, third-party use of an app’s signing key does not constitute abuse in Facebook’s mind, though we are personally consider any re-use of the leaked key to imply deliberate and potentially malicious intent.

New app details

Facebook has already released a new app on the Play Store with a new application ID while changing the app’s system facing name as well as its signing key. However, Facebook re-released the Free Basics app with the new key within twenty-four hours of Russakovskii’s report, although Play Store records has it that the new app was updated on August 14th, five days after the company responded to his reports regarding the leaked key.

Android Police says in a report that the previous app listing reported over five million installs, while the updated version with the secure key counts less than 50,000 — either a whole lot of people stopped using the app, or most folks haven’t updated to the new version yet.

The old App is suggesting the users to move on to the new version of the app. But Facebook has not yet made any announcement regarding it. Even Play Store also doesn’t show any data regarding the leaked key situation. 

The Free Basics app was meant for customers with limited or prohibitively expensive data in developing countries. The app has been banned in several countries because of its issues.

Dangers of the third party based malware apps

People who just have started using online apps are less likely to understand the security implications of installing apps from unknown sources on Android devices. Forum listings apparently advertising a cracked ad-free YouTube app could actually install a malicious update on top of Free Basics by Facebook. The app could then may read the existing app’s data and log information input or sent to it.

A report states that the potential malware-based app could also use older phones to fulfill its malicious actions in emerging markets. It makes it easier for them because the Free Basics app does support and target software as old as Android 4.2 Jelly Bean. The leaked security key doesn’t mean that every phone is running on the older version of the Free Basics by the Facebook app is immediately compromised, but it is a complicating detail that enables an extra avenue for potential security issues.

As far as it was reported, Facebook has not yet made any official announcement regarding the compromised key and the new version of the Free Basics app. However, a company spokesperson informed Android Police about the situation.

“We were notified of a potential security issue that could have tricked people into installing a malicious update to their Free basics app for Android if they chose to use untrusted sources. We have seen no evidence of abuse and have fixed the issue in the latest release of the app”.

It would be safe to uninstall the old version of the Free Basics app and migrate to the new version as soon as possible until Facebook makes an official statement regarding this.

iThemes WordPress Hosting

Stay updated

Subscribe to our newsletter and never miss an update on the latest tech, gaming, startup, how to guide, deals and more.



- Advertisement -
- Advertisement -


Grow Your Business

Place your brand in front of tech-savvy audience. Partner with us to build brand awareness, increase website traffic, generate qualified leads, and grow your business.

- Advertisement -

Grow Your Business

Get these business solutions, tools and services to help your business grow.

Elementor -Join 5,000,000+ Professionals Who Build Better Sites With Elementor. Build your website with 100% visual design that loads faster and speeds up the process of building them.

WP Rocket

WP Rocket - Speed up your website with the most powerful caching plugin in the world. The website speed increase means better SEO ranking, user experience, and conversation. It’s a fact that Google loves a fast site.


Kinsta - If you are looking for WordPress managed hosting, Kinsta is in the leading front. Kinsta provides WordPress hosting for a small or large business that helps take care of all your needs regarding your website with cutting-edge technology.


OptinMonster - Instantly boost leads and grow revenue with the #1 most powerful conversion optimization toolkit in the world. 700,000+ websites are using OptinMonster to turn their traffic into leads, subscribers, and sales.


- Advertisement -
- Advertisement -
ChatGPT Reaches 100 Million Users in Two Months Microsoft’s Teams Get OpenAI-Based Features WhatsApp New Feature that Allows Users to Create Calling Shortcuts Instagram Working On Twitter-like Paid Verification Feature OnePlus Ace 2 Specs Exposed Online Realme GT Neo 5 Full Specs Revealed  Samsung Galaxy S23 Ultra: The New Android King Twitter To End Free API February 9 MLS Season Pass Now Available On Apple TV App Tesla To Increase Giga Shanghai EV Production to 20,000 Weekly 
OpenAI Releases Tool To Detect AI-generated Text Tesla Records Double Net Profit in 2022 India to Produce Upcoming iPhones: Trade Minister Japanese Professor Developed A Power Semiconductor made of Diamond Google Releases New Product for India’s Merchants Indian EV Startup Unveil Two AutoBalancing Electric Scooters OPPO Find X6 Pro Images Render via Weibo Sony Develops New Tech to Reduce Noise of Image Sensors