Android 'Master Key' DEMON APPS sniffed out in China Virus-hunter Symantec says the Android master key vulnerability is being exploited in China, where half-a-dozen apps have showed up with malicious content hiding behind a supposedly-safe crypto key. The simple, straightforward and utterly stupid vulnerability arises because, as Bluebox Security demonstrated recently, someone …
At times like this I have to wonder if (from a purely technical point of view) that the 'closed' systems such as IOS and BBOS etc are worth using just to avoid this sort of thing.
Until the Android people get serious about security, I can't help thinks about the risks here. The words 'Train wreck' seem to pop into my mind.
Just what is the chocolate factory going to do about this? AFAIK, having the master keys mean that each and every Android device is open to being attacked. Changing the keys would be next to impossible (AFAIK).
They don't have the "master keys", the application developers have the keys, what is happening here is the keys are used to verify the valid file and another file with the same name is being installed.
What the chocolate factory have done is patched Android, unfortunately that's only likely to make it's way to Nexus devices in the foreseeable future since manufacturers already have their money and would rather spend their time getting more of it by working on the next device.
Your reason for open vs closed source is off-base here, because vulnerabilities exist in all systems. The only difference between open/closed source is they can be found in the source code easier (by malicious or good coders) than on a closed system where the binaries must be tested/exploited. The advantage of open source is this will be patched in CyanogenMod (and other 3rd party ROMs) before manufacturers pull their fingers out.
I don't want this to come across as defending Google, as this is a pretty schoolboy design error, likely caused by a communication problem between the teams that coded the signature checking and installation systems.
Just as an addendum to the above; comparing Windows to Linux a decade ago would lead you to a very different conclusion regarding the security of open vs. closed systems.
Would I be out of line to suggest that it's fairly foolhardy to claim 'closed' is inherently secure than 'open', on the basis of a single piece of anecdotal evidence?
While I agree that open source should be more secure in the long run, I think the point was being made about open vs. closed for the APPS, not the OS.
There are obvious advantages security wise to permitting only a single app store (assuming an unjailbroken phone) and requiring pre-approval of those apps. This does not guarantee the apps don't do something bad, but makes it less likely.
This is a tradeoff of course, because you give up a certain freedom of choice where some apps that may be possible to create but don't get approved for whatever reason aren't available to you (i.e. you can't replace the iOS keyboard)
<quote>AFAIK, having the master keys mean that each and every Android device is open to being attacked. Changing the keys would be next to impossible (AFAIK).</quote>
They are not open to attack UNLESS the user installs some dodgy software from bad sources.
HOWEVER, should any of this software end up on the Google Play Store then that really could be a nightmare. ( I am thinking repackaged Angry Birds or whatever the next fad game will be)
I assume that in an Android app you can legitimately have the same file name in multiple folders - en/help.txt, fr/help.txt, de/help.txt. So you allow that. But then, what about... well, I don't know if ideas that I can think of for making the picture still more complicated actually constitute vulnerabilities, but I'll keep them to myself, anyway.
I wish you'd stop calling it a 'master key hack' - it's a bug in the key verification as well you know.
'master key hack' implies that private keys have been retrieved, or that the encryption mechanism has been cracked. This might sound more sexy but it's a distortion of the truth
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
