-3

What are the chances a third party could make changes to apps on Google Play that I have installed, so that when I next update I am compromised?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
user117619
  • 99
  • 1
  • 8

2 Answers2

2

From the perspective of an attacker who wants to update the app on the Google Play Store without the knowledge of the developer (or bending Google's arm to accept the malicious app, for that matter):

One hurdle is getting victim Android devices to accept the update as an update, instead of as a completely new app.

App upgrade: When the system is installing an update to an app, it compares the certificate(s) in the new version with those in the existing version. The system allows the update if the certificates match. If you sign the new version with a different certificate, you must assign a different package name to the application—in this case, the user installs the new version as a completely new application.

Source: http://developer.android.com/tools/publishing/app-signing.html#considerations

Even if the attacker can upload their malicious .apk to the Google Play Store, they would have to be able to sign it with the developer's private key. Getting a hold of this private key will vary in difficulty from developer to developer, so it's tough to evaluate the chances of this happening.

PlasmaSauna
  • 574
  • 3
  • 6
  • This might sound odd, but I'm now wondering if there would be a way to verify which devs have been shaken down and NOT given in. I know it's a horrible analogy, but I'm thinking of the whole Russian Prison tattoo thing, wherein a person's character could (ostensibly) be determined by the ink he wears. Invariably it comes up when talking about the importance of privacy and security with folks new to the "space" why they should put their trust in one dev vs. another. I'm wondering about how we could go about "crowd sourcing" not only good code but the character behind the code? – user117619 Jul 23 '15 at 18:20
  • Short answer: no. Slightly longer answer: decompile the app. Medium answer: make another question on this subject to get more attention. Longer answer: I would guess that some signals of trustworthiness include the developer filing CVEs for their own products and the developer maintaining a mailing list for security announcements. Sarcastic answer: use social engineering techniques, perhaps the most legal of which is getting hired by a developer you want to investigate, earning their trust through hard work, etc... – PlasmaSauna Jul 25 '15 at 04:37
1

This is a hard question to answer. If law enforcement knew of a vulnerability that would allow them to replace apps in Google Play, they could use it (with varying degrees of legality). Perhaps they could get a court order forcing Google Play to allow them to update other people's apps (but I suspect that Google would fight this as best they could). Law enforcement could even pay the app developer to include specific modifications. There is likely no way of being certain.

But this problem isn't specific to Google Play, Android, or mobile devices. We know that the NSA has intercepted hardware shipments to tamper with the hardware.

If your in the US, it seems unlikely to me that you would be targeted by law enforcement via an attack such as this unless you were suspected of being involved in threats to national security. But that's just a guess. We really can't know. All we know is that nothing has been made public that indicates that law enforcement has done this for non-national security threats.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • There are cryptographic measures taken precisely to ensure that what you're talking about _can't_ happen - that's why apps are signed with a private key. Given that there are cryptographic limitations in place, I think it would be better to focus on ways that an attacker might overcome or circumvent those limitations. – Soron Jul 23 '15 at 02:52
  • So then it's akin to the "Web of Trust"? In other words, my Threat Mitigation Model necessarily includes people such as Moxie Marlinespike, Roger Dingledine and Mike Perry and organizations like the Riseup collective etc. because Appelbaum has not only said that these folks are trustworthy but also detailed why. – user117619 Jul 23 '15 at 18:04
  • @Ethan Kaminski, thanks for explaining that there is cryptography in place to prevent such shenanigans. – user117619 Jul 23 '15 at 18:09