10pc of Android devices have KeyStore vulnerability, say researchers (update)

30 Jun 2014

According to IBM Security Systems, 10pc of v4.3 Android devices are vulnerable to a serious breach of security and information through the Android KeyStore giving access to PINs and other encryptions.

While the vulnerability has been patched on the latest version of the OS, KitKat, the remaining 86.4pc of Android users running Jelly Bean or older means that the vast majority are still open to attack from malicious web users, according to ArsTechnica.

Detailing the vulnerability on Security Intelligence, the post written by IBM’s Roee Hay shows that while this leaves the vast majority of users of the Google-produced operating system open to a potential KeyStore hack, the hacker would need to by-pass several layers of technical barriers to be able to gain access to the sensitive information.

The hacker would also need to trick the phone user into downloading an app which could give them access to the KeyStore, however, this series of events is still considered a serious threat for Android users, according to security experts.

Speaking to ArsTechnica, Android security specialist spoke of how important the KeyStore is to a phone’s level of security: “Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password.”

However, he later went on to say that not every app is likely to be susceptible: “This means that most banking apps, which force you to type your password every time, are probably safe against this particular attack.”

Update 01 July 2014: We have been informed by IBM’s Security Systems Division that the original statement stating that it affected all versions of Android prior to v4.3 was incorrect and the vulnerability was, in fact, only on v4.3, otherwise known as Jelly Bean, which is currently used by approximately 10pc of all Android users.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com