Researchers recently discovered a serious application security flaw that may expose as many as 86 percent of all Android users to risk.
According to PC Magazine, the the flaw was discovered by IBM security researchers in September of last year. The researchers informed the Android Security Team, which subsequently released a patch for version 4.4 KitKat. However, earlier versions of Android have not received a patch, meaning that users may be vulnerable to opportunistic cybercriminals. As the news source pointed out, data provided by Google suggests that only about 13.6 percent of Android users have KitKat 4.4 installed, with the rest relying on older versions.
A serious vulnerability
The security flaw resides in the Android KeyStore, according to Ars Technica. This is a very sensitive section of the Android operating system, as it stores cryptographic keys and other credential-related information.
"By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets," the news source explained.
Dan Wallach, a professor with Rice University's computer science department who specializes in Android security, told Ars Technica that this flaw amplifies the importance of application security on an individual basis.
"The amount of damage you can do … has a lot to do with which apps this lets the attacker compromise," he explained.
An app that lacks robust protection may be susceptible to hackers leveraging this exploit, whereas a better-defended app will remain secure.
However, the flaw is not as bad as it may at first appear. Ars Technica noted that cyberattackers must overcome a number of technical obstacles in order to take advantage of the vulnerability, thanks to a variety of application security measures inherent to Android. These include data execution prevention and address space layout randomization features.
Yet, as PC Magazine pointed out, this is not the only security flaw present in Android devices. Google has acknowledged that its Android 4.1.1 operating system remains vulnerable to the Heartbleed bug, despite a number of patches. This affects as many as one-third of all Android users.
These findings highlight the importance of security not just for users, but also app developers, as these vulnerabilities and others will force consumers to be more careful and selective when choosing apps.