Recently, there was an issue regarding the compromise of the cryptographic key used by the Facebook Android apps for signing in. As a result, third parties are spotted re-using the keys online. This has become a major drawback for Facebook because it could bring serious damage to the app users as well as to the app developers.
The security of the Android apps updates solely depends upon the secrecy of a given app’s signing key. The signing keys are based on cryptography and responsible for the apps’ security updates. Therefore if they fall into the wrong hands, there is a high chance of them being misused. Hence, the developers try to secure and guard their signing keys as much as possible.
But this time, Facebook has failed to protect the crypto signature of one of its Free Basis apps. Artem Russakovskii, APK Mirror, and Android Police owner, found the problem and reported it to Facebook immediately. After that, the original app listing was removed from the Play Store and replaced with a new app using a different signing key. The company has not yet revealed the nature of the compromised key or the exact reason for the re-release of the app. This may put the users at risk because they might be using the old version of the app. Although Facebook claims that it released a new version of the app within 24 hours of Russakovskii’s report.
Issue regarding third-party involvement
Many sites, e. g. APK Mirror host Android apps to download. The site gives access to the link of the because of several reasons:
- to mitigate geographic restrictions
- to circumvent censorship
- to provide a historical archive for comparison
- to ease the rolling back updates etc.
According to a Android Police report, they had spotted third party apps using a debug signing key which matched the key used by Facebook for its Free Basics Android app.
After they reported it to Facebook about the leaked key, the company verified it. They immediately issued a new version of the app, which the company claims it has prompted users to upgrade to from inside the old app. But Facebook has not yet published any details regarding it.
Since then, the listing for the Free Basics by the Facebook app has been pulled out of the Play store. They finally replaced it with a new listing that uses a new app signing key. An Android Police report says that the exact date of the app was de-listing is still not found, as the last Internet Archive backup of the listing was in July and the replacement app came on August 14th.
How do the signing keys work?
The developers sign the Android apps and give them a cryptographic signature that verifies it as legitimate, regardless of its source. However, the security depends upon how much the developers can secure their app’s signing key secret. But if the key is made public, anyone can sign an app that claims to be an update to their app, and the users might install it right over the real app. Therefore it possesses a major threat against security.
To ease the problem, Google had started allowed developers to store app signing keys. The “Google Play App Signing,” as it’s called, means that app keys can’t ever be lost and compromised keys can be “upgraded” to new keys. However, not all developers take advantage of this new service. If you follow Google’s recommendation and destroy your local copy of the key after migrating, you can no longer distribute apps with a single key outside the Play Store.
In many cases, it’s simpler for developers targeting multiple avenues of app distribution to manage signing keys themselves. (Android 9 Pie also supports a new “key rotation” feature which securely verifies a lineage of signatures in case you need to change them, but it’ll be a while before every phone supports it.)
Suppose signing keys fall into the wrong hands. In that case, third parties can distribute maliciously modified versions of the app as updates on venues outside the Play Store, and potentially trick sites similar to APK Mirror that rely on signature verification. Someone can easily upload a fake app that looks like it was made by Facebook to a forum or trick less wary APK distribution sites into publishing it based on the verified app signature. Customers who stick to official sources like the Play Store should be safe, but folks used to sideloading apps or prompted to follow steps they don’t fully understand are at risk.
Also, note that any updates to the older Free Basics app delivered by the Play Store would still require the credentials for an account associated with the app’s Developer Console, you ned not to worry about downloading malware-laden versions from Google’s (now defunct) listing for the compromised app.
We’ve already spotted third-party apps using the Free Basics by Facebook’s signature being distributed in the wild, so the effective “exploit” which is presented by the compromised security key is actively being used. Although we provided Facebook with evidence regarding these third-party apps using the Free Basics signing key, the company maintains it has “seen no evidence of abuse.” Apparently, third-party use of an app’s signing key does not constitute abuse in Facebook’s mind, though we are personally consider any re-use of the leaked key to imply deliberate and potentially malicious intent.
New app details
Facebook has already released a new app on the Play Store with a new application ID while changing the app’s system facing name as well as its signing key. However, Facebook re-released the Free Basics app with the new key within twenty-four hours of Russakovskii’s report, although Play Store records has it that the new app was updated on August 14th, five days after the company responded to his reports regarding the leaked key.
Android Police says in a report that the previous app listing reported over five million installs, while the updated version with the secure key counts less than 50,000 — either a whole lot of people stopped using the app, or most folks haven’t updated to the new version yet.
The old App is suggesting the users to move on to the new version of the app. But Facebook has not yet made any announcement regarding it. Even Play Store also doesn’t show any data regarding the leaked key situation.
The Free Basics app was meant for customers with limited or prohibitively expensive data in developing countries. The app has been banned in several countries because of its issues.
Dangers of the third party based malware apps
People who just have started using online apps are less likely to understand the security implications of installing apps from unknown sources on Android devices. Forum listings apparently advertising a cracked ad-free YouTube app could actually install a malicious update on top of Free Basics by Facebook. The app could then may read the existing app’s data and log information input or sent to it.
A report states that the potential malware-based app could also use older phones to fulfill its malicious actions in emerging markets. It makes it easier for them because the Free Basics app does support and target software as old as Android 4.2 Jelly Bean. The leaked security key doesn’t mean that every phone is running on the older version of the Free Basics by the Facebook app is immediately compromised, but it is a complicating detail that enables an extra avenue for potential security issues.
As far as it was reported, Facebook has not yet made any official announcement regarding the compromised key and the new version of the Free Basics app. However, a company spokesperson informed Android Police about the situation.
“We were notified of a potential security issue that could have tricked people into installing a malicious update to their Free basics app for Android if they chose to use untrusted sources. We have seen no evidence of abuse and have fixed the issue in the latest release of the app”.
It would be safe to uninstall the old version of the Free Basics app and migrate to the new version as soon as possible until Facebook makes an official statement regarding this.