The magnitude of Android's "master key" bug
Posted on 08 July 2013.
The Android flaw whose existence was revealed last week by Bluebox Security is as bad as they come.

"Blowing hash and signing functions so that the underlying code can be changed without the hash and sigs changing is horrifyingly atrocious. This is the code equivalent of impersonating a person with a mask so good nobody, not even the real person themselves, can tell the difference," Peter Biddle, well-known proponent of trusted computing, explained in a blog post.

"The entire value of a chain of trust is that you are limiting the surface area of vulnerability to the code-signing and hashing itself. This bug, if it’s as described, destroys the chain. All bets are off. You’d be better off without the assertions and chain at all: Treat everyone as adversarial and move all critical operations off-device and into something you know you can trust."

Google has apparently made it impossible to submit to Google Play apps that have been modified to exploit this flaw, and I wonder if the banning of self-updating apps back in April was made to partially counter this attack vector?

Nevertheless, as ESET Senior Research Fellow David Harley says, "it’s not unknown for malicious apps to get onto the Google Play store."

"Google only validates apps that are submitted to Google Play: however, whereas iGadget users can only install apps from Apple’s App Store unless they jailbreak the device, there are a number of legitimate repositories that Android users can shop from, and apps from those sources are not necessarily validated at all,” he also pointed out.

But many agree that the biggest problem with this flaw is that fixes for it will probably not reach all Android users, as users of older phone models with outdated Android versions already don't receive updated versions from operators. It will also take quite some time for them to push out patches for newer models.

The only good news in all of this is that the bug hasn't, so far, been spotted being exploited in the wild.









Spotlight

The evolution of backup and disaster recovery

Posted on 25 July 2014.  |  Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //