Facebook Basics is a Facebook app aimed at countries with poor connectivity, where a free access service to WhatsApp and Facebook is provided. It has been discovered that the Android version used a “Debug” certificate shared by other unrelated applications and in other markets. Moreover, within ElevenPaths we have verified that since 2015 such certificate was shared with Chinese apps on Google Play. This means that they shared private key and could even influence the original app.
A few days ago, the owner of the Android Police page reported that the same certificate used to sign the app Facebook Basics was being used by many other apps in other markets, with no apparent relationship.
Facebook has downplayed the issue by claiming that there is no evidence that the certificate has been exploited and that it has already been fixed. However, this is not so simple, so both consequences and potential causes are only bad news.
Android APKs must be signed with self-signed certificates. This breaches a little bit any rule from a chain of trust, but at least it preserves the integrity of the app and allows its updating. If you sign an app with a certificate and upload it to Google Play, you will never be able to change the certificate (or the package name) if you wish to update it. If you lose the certificate, you will have to create a different appꟷand this is what Facebook has done to “fix it”.
Nevertheless, Facebook has not (supposedly) lost the private key of the signing certificate. They have done something different (worse?) what we can only speculate about. To begin with, they have used an ‘Android Debug’ certificate without real filled data. This, in addition to the bad image, means that they have left the typical test certificate at the production stage.
How is it possible that third parties use this certificate? This certificate might be public. There are some cases, and some developers use it by ignorance or because they do not make efforts to develop high-quality apps… But they may have lost control over this certificate as well, which would imply a lack of security over its development. Another possibility is that the app had been commissioned to a third party (freelance?) and this one worked on it later by signing with the same key (which is strongly inadvisable).
Furthermore, from ElevenPaths we have ascertained that the apps signed with the same certificate were not exclusively in other markets, but that already in 2015 (when Facebook Basics was released) we found Chinese applications signed and already taken down from the market.
* App: af739e903e97d957a29b3aeaa7865e8e49f63cb0 Signed with: 5E8F16062EA3CD2C4A0D547876BAA6F38CABF625 On Google Play from approximately 2015-09-20 to 2016-10-07.
* App: 063371203246ba2b7e201bb633845f12712b057e Signed with: 5E8F16062EA3CD2C4A0D547876BAA6F38CABF625 On Google Play from approximately 2015-10-21 to 2016-06-22.
* App: c6a93efa87533eeb219730207e5237dfcb246725 Signed with: 5E8F16062EA3CD2C4A0D547876BAA6F38CABF625 On Google Play from approximately 2015-09-15 to 2015-09-16.
In addition to the poor image of Facebook (is there any area where privacy has not been brought into question?), an attacker could have taken advantage of this to fraudulently update the app of Facebook. How? Well, to update an app it just needs to have the same certificate and it is only necessary to have access to the Google Play account. It’s not easy, but with this Facebook was doing half the work to be performed by an attacker.
Moreover, the work to perform a potential collusion attack in Android applications would be facilitated as well. These are well-known attacks involving different applications which are not malicious by themselves but working together may lead to an attack. An example is by adding permissions of two applications so that together the attacker can have more power on the phone, even if individually they seem harmless. To achieve this kind of attacks, such apps must be signed with the same certificate. Again, the necessary work was being provided to a potential attacker. On top of all this, Facebook did not want to reward the discoverer because he made it public on Twitter before reporting the issue.