For once the headline is underselling the scope of the issue.
"some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets."
The article is rather misleading. It is almost certain that Samsung used HSMs to sign their APKs, so the key itself could never actually leak unless someone had physical access to the HSMs themselves and managed to somehow delid it and then put it back together without anyone noticing. I'm not too familiar with the documented attacks on delidding HSMs, but I believe that delidding chips causes permanent damage to them in such a way that they will never function properly again.
It's much more likely that an employee's account was compromised and then used to sign malicious APKs, or something similar. Once Samsung realized, they could get the logs of every APK signed with the HSM and then revoke those certificates individually through a software update. Not really sure if they actually did that or not, but either way the key doesn't necessarily need to be replaced.
> revoke those certificates individually through a software update
Android doesn't really do revoking certificates in this way. The only way to fix a leak of a system key is to generate a new key and use replace the entire system image.
I hope you're right that this is merely a remote signing account being compromised, because I don't see Samsung building six years of new system images.
I don't know if this has changed since I last looked a few years ago (around 2018-2019), but:
The app-signing key can't be changed without just creating a new app, and creating a new app means you users won't be able to upgrade - they have to manually uninstall, go to the app store, and install the new one.
It's not just an app store thing, I think I remember Android itself verifies that the upgrades have the same key as the old version.
> OEMs have mitigated the issues above in previous updates. A new security update from Android is not required to mitigate these issues. Ensuring your device is running the latest version of Android is a general best security practice for users.
Though the ars story says Samsung is signing their first party apps with it still. So who knows.
Manufacturers have been extending the support life cycle for the past few years. Samsung provides five years of updates for most phones, for example, with four years of Android updates. Still not great, but a lot better than the single year of updates you used to get.
Extremely cheap brands don't tend to do updates much, especially Android version updates.
Mid-range phones land somewhere in the middle; some have budget hardware with decent support, but other brands get good hardware for dirt cheap in exchange of basically no software support after buying the phone. The latter is great if you're planning on using custom ROMs to extend the life time of your dirt cheap hardware, but quite terrible for people who are used to buying phones four times the price and expecting the same level of support, thinking they just scored a good deal.
This is true in the sense that most android devices are small/cheap off brand or Chinese devices sold across low-income markets, like Africa and the Middle East. Any mid- or top-tier Android devices, such as Pixels and Galaxy devices which compete directly with Apple, are usually on a monthly security update cadence for at least 3 years.
Sounds like the mitigation might be just blacklisting the publically seen malware sideloadable APKs, that's a pretty weak mitigation if the keys have leaked.
I mean considering the level of shitware samsung install on their phones (and make difficult to remove or disable) it will be hard to tell the difference between the official stuff and straight up honest malware.
I used to feel that way, but since the S10 series, there are very few things built into the Galaxy line that fall in the description of shitware anymore. McAfee's device protection shit definitely, but other than that, I can't think of any forced crapware on my last 3 unlocked Galaxy devices.
I bought a Galaxy A33 the other day for my mother. It came full of crapware. All kinds of Samsung this-or-the-other. Some of the apps can be disabled, but not all. Like parts of Bixby (= Samsung's assistant? no idea) can be disabled if you click through a warning, but others cannot.
There is also a bunch of 3rd party crap pre-installed, like MS Onedrive, Facebook, Tiktok.
And it pushes hard to use Onedrive instead of google drive.
There's also a separate, Samsung store, and some functions seem to require a Samsung account.
Last shitware i can remember was the 3rd party IR remote control software they bundled with Note3/4, because a couple years later it was updated to have ads on lockscreen. But it was easily disableable from the app list.
The latest Samsung device i have is tab s8 from this year and the software i would call bloat was all the Google stuff like Youtube, Youtube music, Duo, Chrome, Google search. And worst of all the Google assistant that you have to go to multiple places to disable.
I agree. In fact I have to install MORE Samsung software (their Good Lock apps) because I loathe the UX of modern Android. Good Lock's customization options make for a better experience IMO.
> These companies somehow had their signing keys leaked to outsiders
I can dream, but I would love to know what this "somehow" is. Such a leak is a major security threat to a sizeable portion of phone users. Disclaiming what happened and what you are doing about it would be good.
Generally speaking I don't have much trust in anything a large company is building. In this case, this is very likely they haven't used an HSM for something at the root of the security for stuff like Samsung Pay... This is a major smell to me.
Multiple independent business units developing apps and needing to share the same signing key. Probably contracting out development to other firms.
Neither Google or Apple offer robust ways to effectively delegate App develop while retaining secrets needed to publish an App. So you effectively need a FTE managing and supporting all of these groups.
not too long ago i belive there was a dump of samsung IP materials, and proprietary tech resources, if it wasnt there somehow, the method could have been in there.
In the world of Android, apps are signed (including system/platform apps) through a trust-on-first-use system. There's no PKI with roots and intermediates which could support easily enabling a quick fix.
On Android, an updated app is validated by the system to be signed by the same signing key hash as was used previously.
The most recent (v3, IIRC) apk signing scheme allows you to update an APK and sign it with the old key, and committing a future new signing key, which permits re-keying an app.
To use this, I believe you need to ship a platform (operating system) update, as the underlying apps are signed using old APK signing schemes.
These OEMs are likely not always shipping the latest OS version, but could look to techniques used in the custom firmware world, where there are tools to allow reflashing the OS without losing app data when changing system signing key.
It requires engineering effort for already released devices though, so I suspect we will see very little action - as usual, the eyes are on the future products, not on previously released products.
I assume Google play protect will be used to carefully patrol and detect apps on devices signed by the leaked keys, but this isn't hugely helpful for anyone concerned about "zeroday" style targeted attacks against them.
So why exactly can't they do an OS update with the new signing keys? OEMs put out OS updates all the time. Plus if they don't want to do that, they could update their individual apps to use the v3 signing schema. They've had 6 years to figure this out.
So the signing key for Samsung Android phones were leaked so that any software that is loaded is signed such that it comes from the App Store is trusted. The problem for OEMs is that developing and distributing a new key requires a Firmware update and it isn't trivial to develop for QA/QC because if they make a mistake with the keys then devices could be unable to load apps from the App Store.
>> and it isn't trivial to develop for QA/QC because if they make a mistake with the keys then devices could be unable to load apps from the App Store.
Well then they better do some f..ing testing. They're only one of the biggest tech companies in existence. Making phones isn't trivial either!
Not any app installed from the app store but any app signed using Samsung's keys. Such an app could get any permission it pleases when installed. The app store can easily block apps signed with Samsung's keys, but a few people can probably be convinced to download the app outside the app store, which could easily be flagged by Play Protect if it is a Google-flavored phone, preventing install. I don't know if these systems have actually been updated to do this, but I imagine they would be.
>I’ve avoided Samsung anything for years because of their total disregard for security and total contempt towards their users.
The thing is, if you live in the west then all the other major Android brands aren't better at all. There just are no good options anymore. HTC went bust, OnePlus turned to shit, LG threw in the towel, Sony's SW updates cycle is unimpressive for how expensive they are, Google Pixels are buggy as hell and not available in every country, and Motorola, Nokia and Blackberry are basically rebadged Chinese OEM designs. This lack of good options explains why Android lost so much market share to iOS in the last years.
Excluding Chinese phone makers, Samsung is pretty much the only big player in town from a western aligned nation, that has its shit mostly together as of present, promising 5 years of updates, having service and distribution centers in most countries around the world and a wide portfolio covering all price brackets.
For example, if you're in the market for a new relatively affordable mid-range ~300 Euro phone, then Samsung is pretty much your safest bet in the Android space.
Sure, there are better option like Fairphone but those are far away from being globally mainstream.
For about 300 eur you can get 1.5 used iPhone SE 2020 in perfect condition. I know, I’ve bought several recently. Not saying Apple is the greatest in general but that’s an alternative. I personally don’t regret switching over to iPhones years ago. And I only ever buy iPhones from Apple. And I buy them used because they’re insanely expensive otherwise.
That aside, Samsung’s shittiness extends far beyond smartphones. Their TVs are a disaster, their appliances fail just outside warranty, their wearable and speakers are spyware just like the rest of their products… the only thing from them not on my shitlist are semis or components like ram because there isn’t much that can go wrong on this kind of commodity product.
Samsung isn't actually that bad. They augment parts of Android's security model under the 'knox' branding (which is mostly marketing, yes, but they do improve a few things, especially because their Enterprise users ask for these). It's not quite grapheneos but I wouldn't call it disregard for security. For example, they have added an IKEv2 VPN client to the supported system VPN options since Android 6 or so.
They also pioneered the work container before Google started offering this as part of AOSP under the name 'Work Profile'. A feature which is really nice for privacy, separating a user's personal activity from their work activity.
And they're really good at rolling out security patches. Even before apps like SnoopSnitch drew attention to Android OEMs playing loose and fast with patch levels and missing out patches, Samsung was one of the most complete in this area. https://9to5google.com/2018/04/12/android-security-update-mi...
I was a mobile MDM admin of a huge fleet until last year. No commercial involvement with the vendors though because in our company each country picks their own models but technical management is global.
I do have complaints about Samsung like the huge amount of crapware they ship. Upday, facebook, etc. And their ads in their apps. And it's bugging the users to sign up for a personal onedrive account even when they're already signed in to a corporate one :(
But on security I consider them quite good for an Android vendor.
While it's obviously bad that people are making malware with this key, I do wonder if there could be a silver lining. Samsung and Google lock a lot of cool permissions behind system apps. I wonder if you could use this key to sign you own apps (or make modified versions of existing system apps) and get the benefits of rooting without actually rooting (especially on devises that don't allow unlocking the bootloader)?
Readit News
"some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets."
That Sony Google TV? MediaTek.
Google Chromecast? MediaTek.
Blu-ray Player? MediaTek.
Random IoT device? Likely MediaTek.
Dead Comment
They’ve known about it since 2016!?!
It's much more likely that an employee's account was compromised and then used to sign malicious APKs, or something similar. Once Samsung realized, they could get the logs of every APK signed with the HSM and then revoke those certificates individually through a software update. Not really sure if they actually did that or not, but either way the key doesn't necessarily need to be replaced.
Android doesn't really do revoking certificates in this way. The only way to fix a leak of a system key is to generate a new key and use replace the entire system image.
I hope you're right that this is merely a remote signing account being compromised, because I don't see Samsung building six years of new system images.
The app-signing key can't be changed without just creating a new app, and creating a new app means you users won't be able to upgrade - they have to manually uninstall, go to the app store, and install the new one.
It's not just an app store thing, I think I remember Android itself verifies that the upgrades have the same key as the old version.
Dead Comment
Dead Comment
https://news.ycombinator.com/item?id=33823946
An important comment from the original story:
> OEMs have mitigated the issues above in previous updates. A new security update from Android is not required to mitigate these issues. Ensuring your device is running the latest version of Android is a general best security practice for users.
Though the ars story says Samsung is signing their first party apps with it still. So who knows.
Extremely cheap brands don't tend to do updates much, especially Android version updates.
Mid-range phones land somewhere in the middle; some have budget hardware with decent support, but other brands get good hardware for dirt cheap in exchange of basically no software support after buying the phone. The latter is great if you're planning on using custom ROMs to extend the life time of your dirt cheap hardware, but quite terrible for people who are used to buying phones four times the price and expecting the same level of support, thinking they just scored a good deal.
I bought a Galaxy A33 the other day for my mother. It came full of crapware. All kinds of Samsung this-or-the-other. Some of the apps can be disabled, but not all. Like parts of Bixby (= Samsung's assistant? no idea) can be disabled if you click through a warning, but others cannot.
There is also a bunch of 3rd party crap pre-installed, like MS Onedrive, Facebook, Tiktok.
And it pushes hard to use Onedrive instead of google drive.
There's also a separate, Samsung store, and some functions seem to require a Samsung account.
The latest Samsung device i have is tab s8 from this year and the software i would call bloat was all the Google stuff like Youtube, Youtube music, Duo, Chrome, Google search. And worst of all the Google assistant that you have to go to multiple places to disable.
To add injury Bixby hijacks a physical button and Samsung Pay a swipe direction.
I can dream, but I would love to know what this "somehow" is. Such a leak is a major security threat to a sizeable portion of phone users. Disclaiming what happened and what you are doing about it would be good.
Generally speaking I don't have much trust in anything a large company is building. In this case, this is very likely they haven't used an HSM for something at the root of the security for stuff like Samsung Pay... This is a major smell to me.
Multiple independent business units developing apps and needing to share the same signing key. Probably contracting out development to other firms.
Neither Google or Apple offer robust ways to effectively delegate App develop while retaining secrets needed to publish an App. So you effectively need a FTE managing and supporting all of these groups.
Anyone can do a ELI5 on the app signing key replacement difficulty?
It isn't covered in the article and seems too high level for a layman like me.
On Android, an updated app is validated by the system to be signed by the same signing key hash as was used previously.
The most recent (v3, IIRC) apk signing scheme allows you to update an APK and sign it with the old key, and committing a future new signing key, which permits re-keying an app.
To use this, I believe you need to ship a platform (operating system) update, as the underlying apps are signed using old APK signing schemes.
These OEMs are likely not always shipping the latest OS version, but could look to techniques used in the custom firmware world, where there are tools to allow reflashing the OS without losing app data when changing system signing key.
It requires engineering effort for already released devices though, so I suspect we will see very little action - as usual, the eyes are on the future products, not on previously released products.
I assume Google play protect will be used to carefully patrol and detect apps on devices signed by the leaked keys, but this isn't hugely helpful for anyone concerned about "zeroday" style targeted attacks against them.
Dead Comment
Well then they better do some f..ing testing. They're only one of the biggest tech companies in existence. Making phones isn't trivial either!
I’ve avoided Samsung anything for years because of their total disregard for security and total contempt towards their users.
The thing is, if you live in the west then all the other major Android brands aren't better at all. There just are no good options anymore. HTC went bust, OnePlus turned to shit, LG threw in the towel, Sony's SW updates cycle is unimpressive for how expensive they are, Google Pixels are buggy as hell and not available in every country, and Motorola, Nokia and Blackberry are basically rebadged Chinese OEM designs. This lack of good options explains why Android lost so much market share to iOS in the last years.
Excluding Chinese phone makers, Samsung is pretty much the only big player in town from a western aligned nation, that has its shit mostly together as of present, promising 5 years of updates, having service and distribution centers in most countries around the world and a wide portfolio covering all price brackets.
For example, if you're in the market for a new relatively affordable mid-range ~300 Euro phone, then Samsung is pretty much your safest bet in the Android space.
Sure, there are better option like Fairphone but those are far away from being globally mainstream.
That hasn't been my experience.
That aside, Samsung’s shittiness extends far beyond smartphones. Their TVs are a disaster, their appliances fail just outside warranty, their wearable and speakers are spyware just like the rest of their products… the only thing from them not on my shitlist are semis or components like ram because there isn’t much that can go wrong on this kind of commodity product.
They also pioneered the work container before Google started offering this as part of AOSP under the name 'Work Profile'. A feature which is really nice for privacy, separating a user's personal activity from their work activity.
And they're really good at rolling out security patches. Even before apps like SnoopSnitch drew attention to Android OEMs playing loose and fast with patch levels and missing out patches, Samsung was one of the most complete in this area. https://9to5google.com/2018/04/12/android-security-update-mi...
I was a mobile MDM admin of a huge fleet until last year. No commercial involvement with the vendors though because in our company each country picks their own models but technical management is global.
I do have complaints about Samsung like the huge amount of crapware they ship. Upday, facebook, etc. And their ads in their apps. And it's bugging the users to sign up for a personal onedrive account even when they're already signed in to a corporate one :(
But on security I consider them quite good for an Android vendor.
Dead Comment