Wednesday, November 6, 2013

Android KitKat : Network may be monitored by an unknown third party

Update 1/26/2015 - Google has refused to take this issue seriously.  They have closed several bugs posted on the Android bug tracker.   Fortunately, there are some other people out there that agree that the current implementation is broken.   Unfortunately, Google doesn't seem to think that it is worth fixing.   Since I know a lot of people find this page while looking for information on this annoying warning, I would encourage you to go to the current bug on the Android bug tracker, and star it to show Google that you want this resolved!   Perhaps if enough of us star it, Google will start to pay attention.   You can find the current open bug here.

Let me start by making the disclaimer that these observations are based on an AOSP build of Android KitKat on a Galaxy Nexus.   (My Nexus 5 isn't due for two more days.)   However, things like this that exist in AOSP tend to also exist in the release builds.

Along with all of the great new features in KitKat, Google has introduced what is probably the WORST security hole possible.   A ham-fisted implementation of certificate pinning.

Certificate pinning itself is a good idea.   It verifies that when you visit a web site, it provides you with the same certificate every time.   In general, certificates shouldn't be changing on web sites, and if one does you should be made aware of it.

So, how could certificate pinning be a security hole then?   By creating a situation where a harmless certificate creates a scary, and unnecessary, warning message.  When you install any certificate in to the key store, you get a warning icon in the bar at the top of the screen.   Pulling down the shade presents the following screen :


Let's consider the average user at this point.   Given the revelations about all of the snooping by various governments, it seems that a warning like this would make uninformed users very concerned.   (And, lets face it, there are very few informed users when it comes to 802.1X on Android.)   But, okay, maybe I am freaking out over nothing.  What happens when we tap the warning?


Hmm... Maybe not.   So, the assumption that an uninformed user is to draw based on this is that having any form of third party "trusted credential" installed means that a 3rd party will probably be monitoring my traffic.

I'm going to skip over the obvious irony here that something from Google is warning me that a 3rd party might be monitoring the web sites I visit, and reading my e-mail.  (If the irony is lost on you, you may want to do some research.)

Google seems to be trying to argue that the only safe type of certificate is one that comes pre-installed on your device.   Which is a downright silly argument no matter how you slice it.   But, lets go ahead and let that one slide.   Being the security minded individual that I am, I make sure that all of my network connections are as secure as possible.   So, I make the (probably bad) assumption that purchasing a certificate for my RADIUS server from a public CA will provide me what I need in order to have a secure wireless network.

Once I get the network setup, I try to connect my Android device to the network.   Now, being that we have paid even a little attention to the security issues around wireless networks, we know that we need to validate the server certificate in order to have a secure connection.   No problem, we purchased from a public CA, so we will just select that in the configuration settings.   But, you can't.   The pre-installed certificates on Android can't be used with 802.1X authentication.   Okay, no problem.  I'll just install the CA certificate on my device and then use that.   Oh, what is this scary message?

Now, those of us that understand the meaning of this message will just dismiss it.   But, let's assume that you aren't a techno savvy individual that has enough time to spend learning about security.   This warning is going to freak you out!   If this conversation hasn't happened on a message board yet, it will soon :

"Hey, I got the upgrade to KitKat, and it is great!  But, now I get this warning saying that someone is monitoring my network connection!   How do I make that go away!?  I don't want someone monitoring my network connection!"

"Getting rid of that warning is easy.   Go to Settings->Security->Clear credentials.   After that, the warning will go away."

"Thanks!  The warning is gone.  But now I can't connect to my wifi network!  HELP!"

"Not a problem.  Go in to the configuration for your wifi network and change the 'CA certificate' setting to '(undefined)'.  Problem solved!"

"Perfect!  That solved my problem!  Thanks!"



And somehow Google either didn't consider this case, or they really want to decrease the security of wireless networks.

Anyway, if you happen across this post while looking for how to make this scary looking warning go away, and you use a secure wifi network, please just swipe the warning out of the shade.   It is really nothing to worry about.   (I'll do a follow-up post in the next week or so about how authentication on wifi works and why you should care.)

Edit 11/26/2013 : A coworker pointed out that my blog post was referenced in a bug posted to the Android bug tracker.   The same bug post had a response from someone using an @android.com e-mail address outlining why this issue isn't a problem.   I tested their solutions and wrote about it here.

11 comments:

  1. I barely understood half of that, but basically I don't need to worry? That's the gist?

    ReplyDelete
    Replies
    1. In the majority of cases, I wouldn't worry too much. The gist of the warning message is that once you trust a certificate by installing it, a bad actor could potentially intercept your traffic and view (or change) what you are doing. However, if you installed the certificate to connect to a wifi network, and the security layers in Android are implemented correctly, the risk is quite low. At that point you are trusting that the certificate authority doesn't issue certificates to just anyone, which is also a problem with the built-in certificates that are trusted by default.)

      This is what drives me crazy about this warning. It looks like an error message, and it looks really scary. I suspect the idea is to try to get people that don't understand certificates to do some research and decide if they are okay with the risks associated with trusting a new certificate authority. The problem is, most IT people don't really understand the actual dangers associated with trusting a new certificate authority. (Let alone, trusting the default ones that come with your device by default!)

      Let me know if anything I said doesn't make sense, and I'll try to explain it a bit better.

      Delete
  2. I agree. This new nonsense "feature" needs to go.

    You know what's the worst part? When you load up the list of Root CAs in the System Trusted Credentials, you see an extremely lengthy list comprised of ~100 Root CAs enabled by default. That's around 100 Root CAs who have the potential to fuck shit up, and there's likely a number that have been silently compromised at any one time. But that's okay - Google has already decided for you that they're legit.

    Yet, when you go out of your way to place a CA on your device and then take the time to load it into your User Trusted Credentials, you get this silly warning. It's insulting.

    ReplyDelete
  3. In my case, the certificate was installed to access my corporate email account on my Nexus 7 tablet. While, it's not specifically for accessing a WiFi network, it sounds like it's also nothing to worry about. Any additional concerns of management "spying" in this scenario?

    ReplyDelete
    Replies
    1. Hi Joel - I would actually say that your case is one where the possibility of spying is a bit more real. However, you also have to consider how the spying would work.

      The devices that would spy on your network connection have to sit between you and the Internet in order to be effective. So, the only time you would be at risk of spying by your company is when you are at work and they can insert a device in your path to the Internet. If you use your tablet at a coffee shop, at home, or any place that your corporate IT people don't run the network, you probably have nothing to worry about.

      However, your question raises one of my complaints about this scary looking message. Why is there no additional information available for people to read up on and understand what the real risks are? I suspect most people would find that the risks are small enough that they don't care. And, if that is the case, Android should allow you to disable the warning. Or, better yet, include some of the fancy network timing algorithms that allow a device to detect if they are likely being monitored and display the warning then.

      Instead, what Google has done would be similar to any time you walk in to a theater yelling "fire" because there is a chance (no matter how small) that there is a fire in the theater. How much sense does that really make?

      Delete
  4. Thanks for the reply. That makes sense about spying only being possible when the network is corporate owned. But I've always assumed that is the case, and never assumed privacy when using corporate resources. As long as I'm not at greater risk while at home, I suppose I see no harm in leaving the certificate in place.

    It's been awhile since the issue has come out, I wonder if Google plans on updating it in a future release.

    ReplyDelete
    Replies
    1. I doubt they are, the developer that said it "works as intended" has to be an intern. My wife's corporate email is accessible on her device, and they have used some other method of security. Android bonks on this.

      Delete
    2. If you are referencing the bug post that I think you are, then I can assure you he is not an intern. In fact, he is quite knowledgeable and a good guy. But, as a developer myself, it isn't uncommon to be given orders from a higher up that you disagree with, and then later have to support. (Not saying he does or doesn't disagree with this "feature" as I can honestly say I don't know.)

      I have also discovered that in the latest versions of Android, you can get around seeing this warning when you use the wireless API to configure 802.1X and you set the certificates that way. However, if you manually set the certificates this warning still shows up, even if you put them in the wifi store.

      I will actually be on the Google campus next week, and tried to set up a meeting to talk about this, but I have not received an answer from those involved. No doubt they know who I am and are not too happy that I posted what I have. But, I will still argue that the folks I know at Google are good, knowledgeable folks that are really trying to do the best they can. And I hope that they have passed along to their superiors that this warning needs a lot of work.

      FWIW - I am aware of a significant number of organizations that DO install certificates with the purpose of monitoring what people do on their networks. So I am not against this warning. I just think they messed up in how it was implemented.

      Delete
  5. Okay so I did the security and clear the credentials. But now I'm stuck can't seem to find on my note 3 the configuration for my wifi in order to change the CA to change to undefined... HELP!!!!

    ReplyDelete
  6. Nearly wet myself laughing!

    "I'm going to skip over the obvious irony here that something from Google "

    ReplyDelete