The security of Android app updates hinges on the secrecy of a given app’s signing key. It’s how app updates are verified as secure, and if it falls into the wrong hands, false updates could be distributed containing nefarious changes. As a result, developers usually guard signing keys quite closely, but someone at Facebook seriously messed up. A key used by the company to digitally sign its Free Basics by Facebook app has been compromised, and third-party apps reusing the key have been spotted online.
After APK Mirror and Android Police owner Artem Russakovskii discovered the issue and reported it to Facebook, the original app listing was pulled from the Play Store and replaced with a new appusing a new signing key. Since then, the company has not publicly divulged the nature of the compromised key or the precise reason for the re-released app to its users, placing them at risk if they still have the old version installed. Before the listing was removed, the original Free Basics by Facebook app had over five million downloads on the Play Store.
In the past several weeks, I noticed a bunch of random APKs being uploaded with @facebook’s crypto signature used in its Free Basics app.
Upon closer examination, they either used a public debug key or the key got leaked.
Either way, this is dumb, FB.https://t.co/71uSMPO8YP
— Artem Russakovskii (@ArtemR) August 9, 2019
Android Police’s sister site APK Mirror hosts Android apps for download. We do it for several reasons: to circumvent censorship, so enthusiasts can download updates before they’re widely rolled out, to mitigate geographic restrictions, and to provide a historical archive for comparison and ease of rolling back updates, among other reasons. We’re especially concerned about security, given how dangerous downloading apps from third-party sources can be, so we go out of our way to manually review and vet every APK that hits the site.
In the last month, we’ve spotted third-party apps using a debug signing key which matched the key used by Facebook for its Free Basics Android app. (As an aside, using a “debug” key in production is also not a best practice for developers, let alone one of Facebook’s reach and stature.)
We notified Facebook about the leaked key earlier this month, and the company verified it, pledging to address the issue in a new version of the app, which the company claims it has prompted users to upgrade to from inside the old app. Based on details provided to us by Facebook, the precise reason why customers need to upgrade isn’t included in that prompt, and it hasn’t published details regarding it elsewhere.
The listing for the Free Basics by Facebook app has since been pulled from the Play Store and replaced with a new listing utilizing a new app signing key. We aren’t sure of precisely when the app was de-listed, as the last Internet Archive backup of the listing was in July, and the replacement app landed on August 14th. Facebook claims that it released a new version of the app within 24 hours of Russakovskii’s report. APK Mirror is also not accepting uploads that use the compromised key.
Continua su AndroidPolice (via WaybackMachine)