Security researchers discovered the flaw in Android’s KeyStore

KeyStore protects encrypted data used to gain secure access to apps

Attackers could use the flaw to get hold of keys used by banking apps

It could also reveal PIN codes and patterns used to unlock devices

Google has released a fix for Android 4.4 KitKat devices

But the vulnerability still affects devices running 4.3 Jelly Bean or older

Android users running older versions of Google’s ubiquitous software are at risk of attack, according to a new study.

Security researchers have uncovered a major flaw that affects Android’s KeyStore – part of the system responsible for encrypted data and cryptographic keys – on older software releases. 

Keys are used to encrypt and hide information as people access certain apps, and the vulnerability means hackers could expose and steal banking data and passwords. 

_{Security researchers have uncovered a major flaw that affects Android’s KeyStore – part of the system responsible for encrypted data and cryptographic keys. Google has patched the issue in Android KitKat 4.4 (pictured left), but vulnerability still affects older software releases, including Android Froyo 2.2}   

Key Store is used to identify developers and users when they create, install and use apps

A team of experts at IBM spotted the flaw nine months ago, and flagged the vulnerability to Google.

Google has since issued a fix for its Android 4.4 KitKat software – but that still leaves all older versions of the software at risk.

This is believed to be 86 per cent of all Android handsets in current use.

Google has designed Android so that any installed apps need to be ‘digitally signed’ with a certificate.

_{Google has designed Android so that any installed apps need to be ‘digitally signed’ with a certificate (pictured). This certificate has a private key that is stored by the app’s developer. The flaw in this system means attackers can execute code to apps and steal keys on banking, and other, sensitive apps}

——————————————————————————————————————————————————

HOW TO PROTECT YOURSELF

Android users running older versions of the operating system are being advised to carefully check apps before installing them.

Apps should only be installed from the official Google Play Store.

Where possible, users should also install the most up-to-date version of Android available for their device.

Go to ‘Settings’ and then ‘Update’ to check for new releases.

It is also advisable to run antivirus software on devices to scan for any malicious code or apps already installed .

—————————————————————————————————————————————————–

This certificate has a private key that is stored by the app’s developer. Android uses this certificate to identify who created the app.

It is designed to stop hackers from being able to add malicious code to a developer’s app, without their permission.

The flaw discovered by IBM means attackers can execute such code to apps that could leak and steal keys on banking, and other, sensitive applications. 

It could also reveal PIN or finger patterns used to unlock handsets, for example.

But, to get access to the keys, hackers would need to install a malicious app onto a vulnerable handset in the first place. 

In theory, because banking apps ask for passwords every time they are used, and have added security measures, they are more secure than other apps, for example. But, this doesn’t mean they are impenetrable.

Android users running older versions of the system are being advised to carefully check apps before installing them.

Apps should only be installed from the official Google Play Store.

Where possible, users should install the most up-to-date version of Android available.

It is also advisable to run antivirus software on devices to scan for any malicious code or apps already installed.

Please follow and like us: