The magnitude of Android's "master key" bug
Posted on 08 July 2013.
The Android flaw whose existence was revealed last week by Bluebox Security is as bad as they come.

"Blowing hash and signing functions so that the underlying code can be changed without the hash and sigs changing is horrifyingly atrocious. This is the code equivalent of impersonating a person with a mask so good nobody, not even the real person themselves, can tell the difference," Peter Biddle, well-known proponent of trusted computing, explained in a blog post.

"The entire value of a chain of trust is that you are limiting the surface area of vulnerability to the code-signing and hashing itself. This bug, if itís as described, destroys the chain. All bets are off. Youíd be better off without the assertions and chain at all: Treat everyone as adversarial and move all critical operations off-device and into something you know you can trust."

Google has apparently made it impossible to submit to Google Play apps that have been modified to exploit this flaw, and I wonder if the banning of self-updating apps back in April was made to partially counter this attack vector?

Nevertheless, as ESET Senior Research Fellow David Harley says, "itís not unknown for malicious apps to get onto the Google Play store."

"Google only validates apps that are submitted to Google Play: however, whereas iGadget users can only install apps from Appleís App Store unless they jailbreak the device, there are a number of legitimate repositories that Android users can shop from, and apps from those sources are not necessarily validated at all,Ē he also pointed out.

But many agree that the biggest problem with this flaw is that fixes for it will probably not reach all Android users, as users of older phone models with outdated Android versions already don't receive updated versions from operators. It will also take quite some time for them to push out patches for newer models.

The only good news in all of this is that the bug hasn't, so far, been spotted being exploited in the wild.


10 practical security tips for DevOps

By working with the DevOps team, you can ensure that the production environment is more predictable, auditable and more secure than before. The key is to integrate your security requirements into the DevOps pipeline.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Mar 31st