"Nuclear-grade" Android vulnerability Janus, hackers can arbitrarily tamper with the app

December 9, U.S. time, Google disclosed a name "Janus" Android vulnerability. The vulnerability could allow an attacker to bypass the Android signature mechanism, which could allow an attacker to tamper with an app, and the Android 5.0 to 8.0 version system is affected.

Top image security experts remind Android users to upgrade to the latest version of Android, and download or update the app on the app's official website. It is also recommended that the developer upgrade the app APK (install package) to the V2 signature mechanism, or configure the app with a top-image security SDK to protect against the threat posed by the vulnerability.

This is a "nuclear" level security breach.

The "Janus" vulnerability was disclosed in a security bulletin released by Google in December by the research team at Mobile security company Guardsquare, who found that the vulnerability number: cve-2017-13156.

The vulnerability is based on the signature and verification mechanisms established by the Android Jarsigner mechanism signature scheme V1. Signing and checking is a key mechanism for Android to ensure that apps are not modified, forged, or tampered with by others. The "Janus" vulnerability could allow an attacker to bypass the Android signature mechanism, which could enable an attacker to tamper with any app.

Once an attacker has placed a counterfeit app with malicious code into a third-party marketplace such as the Android store, it can be used as an alternative to the original app for public downloading and updating. After installing these counterfeit apps, netizens will not only disclose personal information such as individual accounts, passwords, photos, files, etc., but also the mobile phone is more likely to be implanted with Trojan virus, which may lead to the phone being rooted or even remotely manipulated.

Because the other security mechanisms of Android are built on the basis of signature and verification, the "Janus" loophole can be said to break through the entire security mechanism of Android, resulting in the fall of the entire security system of Android. as a result, the vulnerability was also targeted at "nuclear" levels by domestic security researchers.

However, the "Janus" vulnerability is only for Android 5.0-8.0 system, based on the signature scheme V1 signature mechanism of the app, using the Siginature scheme V2 signature mechanism of the app is not affected. In addition, Google's latest version of the Android system has also fixed the vulnerability.

Top image Technology emergency release app protection solution

Top image technology security expert Liang recommends the vast number of Android users:

1, upgrade to the latest version of Android system as soon as possible;

2, as far as possible to the official website updates, download the app, in the short term without using the third Fang Andro app market update or download app.

For the vast number of Android developers, Liang recommends:

1, the app apk upgrade to the latest signature scheme V2 signature mechanism;

2. Developers check the start byte of the app apk file in time to ensure the app has not been tampered with;

3. Use the Security SDK provided by the top image technology.

For the "Janus" vulnerability of the origin, impact and solution, the top image technology will do a detailed technical analysis.

* More business security class technology sharing, please focus on the top Elephant official blog:https://www.dingxiang-inc.com/blog

"Nuclear-grade" Android vulnerability Janus, hackers can arbitrarily tamper with the app