Low and medium-severity issues fixed in Amazon's mobile OS

Jun 29, 2015 21:59 GMT  ·  By

When Amazon’s Fire OS 4.6.1, used on the Fire Phone, was released in May, the company focused on informing about new features and functionality, while bugs, including those related to security, were left unmentioned.

However, the company did work in this area and fixed at least three security vulnerabilities present in the Android-based operating system used on Fire Phone, their severity ranging from low to medium.

Certificate installation issues

All three vulnerabilities were reported by security consultancy company MWR at the beginning of the year and disclosed last week. Two of the glitches have been deemed to present a medium risk to users, both touching on installation of TLS certificates without user interaction, although a notification would be issued.

MWR explains that the vulnerabilities could be exploited by an attacker via a man-in-the-middle (MitM) attack and allow viewing encrypted traffic from the client. In both cases, certificate pinning would foil the attempt, but this certificate protection mechanism is not adopted on a wide scale.

Certificate pinning is an additional validation mechanism and consists in having the certificate validation data (the certificate itself, its fingerprint or its public key) bundled in the app. This way, if the info from the server is not an exact match, the connection is refused.

“The CertInstaller package on the Amazon Fire Phone allows applications to install certificates without interaction with the user. Although the application’s name is identical to the base Android package, the source code has been modified specifically for the Amazon Fire Phone,” Bernard Wagner of MWR explains in the advisories.

Insufficient protection for ADB connection

The third vulnerability is less severe and relates to the Secure USB Debugging feature, which restricts the number of hosts that can connect to a device through the Android Debug Bridge (ADB) command line tool.

On Fire OS lower than 4.6.1, MWR found that Secure USB Debugging was not enforced. The severity of the issue is low because exploitation is possible only if USB debugging mode is turned on, a scenario unlikely in the case of average users.

A sufficiently skilled attacker gaining ADB access to the device would be able to install or remove apps even if there is lock screen protection, access a high privilege shell on the terminal and steal information from apps and settings.