Android apps are digitally signed by their developers. Digital signatures are created using a private cryptographic key, and the word ‘private’ means just what it says – the value of the signature depends on keeping the signing key private.
After all, if someone else gets hold of your private key then they can sign their own apps with it and pass them off as yours.
Facebook, however, is reportedly shrugging off the fact that it lost control of one of its app-signing keys and that apps signed with that same key are popping up in unofficial repositories.
The signing key that Facebook lost was apparently used to vouch for the Free Basics by Facebook app. According to Artem Russakovskii, the owner of the Android Police website and its sister site, APK Mirror, which hosts Android apps for download, third-party apps signed with that key have appeared online.
Free Basics, in case you are wondering, is part of Facebook’s 2016 plan to connect everyone on the planet, for free.
Android Police says that it notified Facebook about the leaked key earlier in August. Facebook verified the key leak and said it would address the issue in a new version of the app. Russakovskii claimed that because he tweeted about the issue publicly after reporting it, Facebook didn’t pay him a bug bounty.
Facebook acknowledged the issue and said a new version of the affected app (with presumably a new key) would be released.— Artem Russakovskii (@ArtemR) August 15, 2019
However, because I publicly posted about the issue, they won't be issuing a bounty.
Oh well. Curious how much it would have been.
Android Police reports that although Facebook has prompted users to upgrade, it hasn’t told them exactly why. Nor has it published details about the leaked key, even though this sort of security glitch is a compelling reason to rip out the old version of the app, so that there’s no chance of it getting updated with a bogusly signed replacement.
Facebook quietly released a new version of Facebook Basics in mid-August, signed with a new key, which as of last week had been downloaded just over 100,000 times, as The Register reports.
This is the statement about the matter that Facebook sent over to The Register:
We were notified of a potential security issue that could have tricked people into installing a malicious update to their Free Basics app for Android if they chose to use untrusted sources. We have seen no evidence of abuse and have fixed the issue in the latest release of the app.
The Register ran a Google search with the SHA-1 hash of the old key and reports that it returns “some results to dodgy third-party sites and apps which are definitely not Facebook Basics.”
Not the first time
Facebook certainly isn’t the only app developer that’s managed to let its private keys go public. In September 2016, the European security consultancy SEC Consult found that 4.5 million web servers had private keys that were publicly known.
So much for warning about the issue: that finding came nine months after SEC Consult found 3,200,000 web servers with private keys that were already publicly known. Things hadn’t exactly gotten better – quite the opposite!
What to do?
Getting your apps from official app stores can help you to steer clear of dodgy apps, though it’s certainly not a guarantee that you won’t run into some scary things.
Google last week announced that it would be throwing bug bounty money not just at its own apps, but also at mega-popular third-party apps, even if those app developers have their own bug bounty programs.
And as far as Free Basics goes, if you know anyone who uses it, make sure they have removed the old version of the app and replaced it with the latest one, signed with Facebook’s new, and hopefully still-private, private key.