The magnitude of Android's "master key" bug
Posted on 08 July 2013.
Bookmark and Share
The Android flaw whose existence was revealed last week by Bluebox Security is as bad as they come.

"Blowing hash and signing functions so that the underlying code can be changed without the hash and sigs changing is horrifyingly atrocious. This is the code equivalent of impersonating a person with a mask so good nobody, not even the real person themselves, can tell the difference," Peter Biddle, well-known proponent of trusted computing, explained in a blog post.

"The entire value of a chain of trust is that you are limiting the surface area of vulnerability to the code-signing and hashing itself. This bug, if it’s as described, destroys the chain. All bets are off. You’d be better off without the assertions and chain at all: Treat everyone as adversarial and move all critical operations off-device and into something you know you can trust."

Google has apparently made it impossible to submit to Google Play apps that have been modified to exploit this flaw, and I wonder if the banning of self-updating apps back in April was made to partially counter this attack vector?

Nevertheless, as ESET Senior Research Fellow David Harley says, "it’s not unknown for malicious apps to get onto the Google Play store."

"Google only validates apps that are submitted to Google Play: however, whereas iGadget users can only install apps from Apple’s App Store unless they jailbreak the device, there are a number of legitimate repositories that Android users can shop from, and apps from those sources are not necessarily validated at all,” he also pointed out.

But many agree that the biggest problem with this flaw is that fixes for it will probably not reach all Android users, as users of older phone models with outdated Android versions already don't receive updated versions from operators. It will also take quite some time for them to push out patches for newer models.

The only good news in all of this is that the bug hasn't, so far, been spotted being exploited in the wild.









Spotlight

Dissecting the unpredictable DDoS landscape

Posted on 23 April 2014.  |  DDoS attacks are now more unpredictable and damaging than ever, crippling websites, shutting down operations, and costing millions of dollars in downtime, customer support and brand damage, according to Neustar.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Apr 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //