Live Updates: COVID-19 Cases
  • World 19,485,746
    Confirmed: 19,485,746
    Active: 6,256,778
    Recovered: 12,506,928
    Death: 722,040
  • USA 5,084,440
    Confirmed: 5,084,440
    Active: 2,320,578
    Recovered: 2,600,062
    Death: 163,800
  • Brazil 2,962,442
    Confirmed: 2,962,442
    Active: 794,476
    Recovered: 2,068,394
    Death: 99,572
  • India 2,086,864
    Confirmed: 2,086,864
    Active: 616,617
    Recovered: 1,427,669
    Death: 42,578
  • Russia 877,135
    Confirmed: 877,135
    Active: 178,818
    Recovered: 683,592
    Death: 14,725
  • South Africa 545,476
    South Africa
    Confirmed: 545,476
    Active: 140,808
    Recovered: 394,759
    Death: 9,909
  • Mexico 462,690
    Confirmed: 462,690
    Active: 103,325
    Recovered: 308,848
    Death: 50,517
  • Peru 455,409
    Confirmed: 455,409
    Active: 124,648
    Recovered: 310,337
    Death: 20,424
  • Chile 368,825
    Confirmed: 368,825
    Active: 16,699
    Recovered: 342,168
    Death: 9,958
  • Spain 361,442
    Confirmed: 361,442
    Active: 332,939
    Recovered: ?
    Death: 28,503
  • Iran 322,567
    Confirmed: 322,567
    Active: 24,711
    Recovered: 279,724
    Death: 18,132
  • UK 309,005
    Confirmed: 309,005
    Active: 262,494
    Recovered: ?
    Death: 46,511
  • Saudi Arabia 285,793
    Saudi Arabia
    Confirmed: 285,793
    Active: 33,752
    Recovered: 248,948
    Death: 3,093
  • Pakistan 282,645
    Confirmed: 282,645
    Active: 18,494
    Recovered: 258,099
    Death: 6,052
  • Bangladesh 252,502
    Confirmed: 252,502
    Active: 103,585
    Recovered: 145,584
    Death: 3,333
  • Italy 249,756
    Confirmed: 249,756
    Active: 12,924
    Recovered: 201,642
    Death: 35,190
  • Turkey 238,450
    Confirmed: 238,450
    Active: 11,063
    Recovered: 221,574
    Death: 5,813
  • Germany 216,315
    Confirmed: 216,315
    Active: 10,861
    Recovered: 196,200
    Death: 9,254
  • France 197,921
    Confirmed: 197,921
    Active: 84,761
    Recovered: 82,836
    Death: 30,324
  • Canada 118,757
    Confirmed: 118,757
    Active: 6,569
    Recovered: 103,222
    Death: 8,966
  • China 84,565
    Confirmed: 84,565
    Active: 843
    Recovered: 79,088
    Death: 4,634
  • Netherlands 57,501
    Confirmed: 57,501
    Active: 51,347
    Recovered: ?
    Death: 6,154
  • Australia 20,272
    Confirmed: 20,272
    Active: 8,859
    Recovered: 11,147
    Death: 266
  • S. Korea 14,519
    S. Korea
    Confirmed: 14,519
    Active: 673
    Recovered: 13,543
    Death: 303
  • New Zealand 1,569
    New Zealand
    Confirmed: 1,569
    Active: 23
    Recovered: 1,524
    Death: 22

Signing keys for a Facebook Android app has been compromised

Author at TechGenyz Facebook
Crytographic Key Facebook

Recently, there was an issue regarding the compromise of the cryptographic key used by the Facebook Android apps for signing in. As a result, third parties are spotted re-using the keys online. This has become a major drawback for Facebook because it could bring serious damage to the app users as well as to the app developers.

The security of the Android apps updates solely depends upon the secrecy of a given app’s signing key. The signing keys are based on cryptography and are responsible for the security updates of the apps. Therefore if they fall into the wrong hands, there is a high chance of them being misused. Hence, the developers try to secure and guard their signing keys as much as possible.

But this time, Facebook has failed to protect the crypto signature of one of its Free Basis apps. Artem Russakovskii, APK Mirror, and Android Police owner found the problem and reported it to Facebook immediately. After that, the original app listing was taken out of the Play Store and was replaced with a new app using a different signing key. The company has not yet revealed the nature of the compromised key or the exact reason for the re-release of the app. This may put the users at risk because they might be using the old version of the app. Although Facebook claims that it released a new version of the app within 24 hours of Russakovskii’s report.

Issue regarding third-party involvement

Many sites, e. g. APK  Mirror host Android apps to download. The site gives access to the link of the because of several  reasons:

  • to mitigate geographic restrictions
  • to circumvent censorship
  • to provide a historical archive for comparison
  • to ease the rolling back updates etc.

According to a Android Police report, they had spotted third party apps using a debug signing key which matched the key used by Facebook for its Free Basics Android app.

After they reported it to Facebook about the leaked key, the company verified it. They immediately issued a new version of the app, which the company claims it has prompted users to upgrade to from inside the old app. But Facebook has not yet published any details regarding it.

Since then, the listing for the Free Basics by the Facebook app has been pulled out of the Play store. They finally replaced it with a new listing that uses a new app signing key. An Android Police report says that the exact date of the app was de-listing is still not found, as the last Internet Archive backup of the listing was in July and the replacement app came on August 14th.

How do the signing keys work?

The developers sign the Android apps and give them a cryptographic signature that verifies it as legitimate, regardless of its source. However, the security depends upon how much the developers can secure their app’s signing key secret. But if the key is made public, then anyone can sign an app that claims to be an update to their app, and the users might install it right over the top of the real app. Therefore it possesses a major threat against security.

To ease the problem, Google had started allowed developers to store app signing keys. The “Google Play App Signing,” as it’s called, means that app keys can’t ever be lost and compromised keys can be “upgraded” to new keys. However, not all developers take advantage of this new service. If you follow Google’s recommendation and destroy your local copy of the key after migrating, you can no longer distribute apps with a single key outside the Play Store.

In many cases, it’s simpler for developers targeting multiple avenues of app distribution to manage signing keys themselves. (Android 9 Pie also supports a new “key rotation” feature  which securely verifies a lineage of signatures in case you need to change them, but it’ll be a while before every phone supports it.)

If signing keys fall into the wrong hands, third parties can distribute maliciously modified versions of the app as updates on venues outside the Play Store, and potentially trick sites similar to APK Mirror that rely on signature verification. Someone can easily upload a fake app that looks like it was made by Facebook to a forum or trick less wary APK distribution sites into publishing it based on the verified app signature. Customers who stick to official sources like the Play Store should be safe, but folks used to sideloading apps or prompted to follow steps they don’t fully understand are at risk.

Also, note that any updates to the older Free Basics app delivered by the Play Store would still require the credentials for an account associated with the app’s Developer Console, you ned not to worry about downloading malware-laden versions from Google’s (now defunct) listing for the compromised app.

We’ve already spotted third-party apps using the Free Basics by Facebook’s signature being distributed in the wild, so the effective “exploit” which is presented by the compromised security key is actively being used. Although we provided Facebook with evidence regarding these third-party apps using the Free Basics signing key, the company maintains it has “seen no evidence of abuse.” Apparently, third-party use of an app’s signing key does not constitute abuse in Facebook’s mind, though we are personally consider any re-use of the leaked key to imply deliberate and potentially malicious intent.

New app details

Facebook has already released a new app on the Play Store with a new application ID while changing the app’s system facing name as well as its signing key. However, Facebook re-released the Free Basics app with the new key within twenty-four hours of Russakovskii’s report, although Play Store records has it that the new app was updated on August 14th, five days after the company responded to his reports regarding the leaked key.

Android Police says in a report that the previous app listing reported over five million installs, while the updated version with the secure key counts less than 50,000 — either a whole lot of people stopped using the app, or most folks haven’t updated to the new version yet.

The old App is suggesting the users to move on to the new version of the app. But Facebook has not yet made any announcement regarding it. Even Play Store also doesn’t show any data regarding the leaked key situation. 

The Free Basics app was meant for customers with limited or prohibitively expensive data in developing countries. The app has been banned in several countries because of its issues.

Dangers of the third party based malware apps

People who just have started using online apps are less likely to understand the security implications of installing apps from unknown sources on Android devices. Forum listings apparently advertising a cracked ad-free YouTube app could actually install a malicious update on top of Free Basics by Facebook. The app could then may read the existing app’s data and log information input or sent to it.

A report states that the potential malware-based app could also use older phones to fulfill its malicious actions in emerging markets. It makes it easier for them because the Free Basics app does support and target software as old as Android 4.2 Jelly Bean. The leaked security key doesn’t mean that every phone is running on the older version of the Free Basics by the Facebook app is immediately compromised, but it is a complicating detail that enables an extra avenue for potential security issues.

As far as it was reported, Facebook has not yet made any official announcement regarding the compromised key and the new version of the Free Basics app. However, a company spokesperson informed Android Police about the situation.

“We were notified of a potential security issue that could have tricked people into installing a malicious update to their Free basics app for Android if they chose to use untrusted sources. We have seen no evidence of abuse and have fixed the issue in the latest release of the app”.

It would be safe to uninstall the old version of the Free Basics app and migrate to the new version as soon as possible until Facebook makes an official statement regarding this.