Recently, Baidu Security laboratory in the mobile phone banking genuine information extraction, found that there is a digital certificate signature (signature information 1) is used by many banks of the mobile phone client. At the same time, several individual developer applications were also identified using this certificate signature. And this kind of digital signature is abused the behavior has the great security hidden danger.
Figure 1. Signature information
After excavation and analysis, the researchers found that there are currently 23 different bank mobile banking clients using the signature:
The mobile client applications of these different banks are outsourced to a third party company.
In the marketplace, a total of 6 personal-development applications are currently being signed with this digital certificate:
These six mobile phone clients are the same individual developer and infer that the individual developer should be a "third-party company" employee who "accidentally" signed a small, personal-development application with the company's digital certificate and published it to a different application market.
No use of the certificate is currently found to engage in malicious acts. There are, however, the following great security risks:
1, different banks of the Android phone client applications are using the same certificate signature.
In Android, the role of a certificate is to establish a trust relationship between an application and its developer, which is actually the owner of the application, and is an important part of the Android security system. Although these bank clients are developed by a company, they should be in fact owned by individual banks, so they should not use the same signature.
2. The bank's Android mobile client uses the certificate signature of the third-party outsourcing company.
Banking applications should pay more attention to the security of application as a kind of application which is closely related to people's property. While certificate signing is a part of an Android application that is closely related to application security, each bank should make its own signature certificate and strictly manage it. Even if the client is developed by another company, the banks should sign their own unique certificates when they are finally released to the application. But the current situation is that the application of a number of banks actually use the same outsourcing company's certificate, and this certificate from the current analysis of the company's public certificate, and there is no independence and confidentiality to say.
3, the third-party outsourcing company certificate management is missing, such an important certificate, incredibly is personally used to issue personal applications.
Based on the rules and permissions that an app using the same signature in an Android system can take advantage of, once such an important signing certificate is made by a personal developer to create a malicious program, it can be extremely damaging to users who use these genuine client applications, especially in a large part of these applications. The current situation is that there are 20 bank mobile phone clients using the same certificate, once the certificate is stolen, malicious developers will endanger at least 20 bank mobile phone Client User funds security, the scope of the damage is very large.
The vulnerability has now been submitted to the Cloud vulnerability platform:
http://www.wooyun.org/bugs/wooyun-2014-067027