Last week, APK Mirror and Android Police owner Artem Russakovskii reported that a cryptographic key used by Facebook developers to digitally sign its Free Basics by Facebook app has been compromised, and third-party apps are reusing the key.
In the past several weeks, I noticed a bunch of random APKs being uploaded with @facebook's crypto signature used in its Free Basics app.
Upon closer examination, they either used a public debug key or the key got leaked.
Either way, this is dumb, FB.https://t.co/71uSMPO8YP
— Artem Russakovskii (@ArtemR) August 9, 2019
Russakovskii discovered this issue and reported it to Facebook earlier in August. Then Facebook pulled the original app listing from the Play Store and replaced it with a new app using a new signing cryptographic key. Since then, the company has not publicly divulged the nature of the compromised key. They have also not given any precise reason for the re-released app to its users, placing them at risk if they still have the old version installed. Before the listing was removed, the original Free Basics by Facebook app had over five million downloads on the Play Store.
Websites like APK Mirror host Android apps for download. They do it for several reasons: to circumvent censorship, so users can download updates before they’re widely rolled out, to mitigate geographic restrictions, and to provide a historical archive for comparison and ease of rolling back updates, among other reasons.
Russakovskii writes, “In the last month, we’ve spotted third-party apps using a debug signing cryptographic key which matched the key used by Facebook for its Free Basics Android app.”
The APK Mirror team notified Facebook about the leaked key, and the company verified it, pledging to address the issue in a new version of the app. The company claims it has prompted users to upgrade to the newer version of app but did not provide any specific reason for the update.
Potential dangers of a compromised cryptographic key
According to Android Police, the security of Android app updates hinges on the secrecy of a given app’s signing cryptographic key. It’s how app updates are verified as secure, and if it falls into the wrong hands, false updates could be distributed containing nefarious changes. As a result, developers usually guard signing keys quite closely.
Of course, that security is entirely dependent upon developers keeping their app signing key secret; if it’s publicly available, anyone can sign an app that claims to be an update to their app, and consumers’ phones will easily install right over the top of the real app. So losing or leaking a signing key is a big problem.
If signing keys fall into the wrong hands, third parties can distribute maliciously modified versions of the app as updates on venues outside the Play Store, and potentially trick sites similar to APK Mirror that rely on signature verification. Someone can easily upload a fake app that looks like it was made by Facebook to a forum or trick less wary APK distribution sites into publishing it based on the verified app signature.
To make things a bit easier for developers, Google has started a service which allows developers to store app signing keys on its servers instead. The “Google Play App Signing,” as it’s called, means that app keys can’t ever be lost and compromised cryptographic keys can be “upgraded” to new keys. Additionally, Android 9 Pie supports a new “key rotation” feature which securely verifies a lineage of signatures in case you need to change them.
Facebook’s lax approach in addressing the security issue
According to APK Mirror, the old app is telling users to move to the new version, but no specific statement has been provided to customers. A spokesperson from Facebook said to APK Mirror that users were simply notified of the requirement to upgrade in the old app. And the APK Mirror team is unable to check the old app or the specific message sent to customers, as the Free Basics app doesn’t appear to work outside specific markets.
Additionally, the new app listing on the Play Store makes no mention that the security of the old app has been compromised by the leaked signing cryptographic key, and the APK Mirror team did not find any disclosure about how this leak has impacted user security anywhere on Facebook’s site or the internet.org site.
When asked for a statement, Facebook spokesperson provided with the following:
“We were notified of a potential security issue that could have tricked people into installing a malicious update to their Free Basics app for Android if they chose to use untrusted sources. We have seen no evidence of abuse and have fixed the issue in the latest release of the app.”