back to article Android MasterKey found buried in kiddie cake game on Google Play - report

Two Google Play apps that use the so-called "MasterKey" vulnerability, albeit harmlessly, have been detected, security researchers have announced. The Android signature vulnerability, which first came to light two weeks ago, affects the vast majority of Android smartphones and tablets, creating a means to load fake files into …

COMMENTS

This topic is closed for new posts.
  1. Ragarath

    What about the operator packages?

    However, patched Android distributions such as CyanogenMod will refuse to install the application with the mention that the “Package file was not signed correctly”

    Leaving 99.9% of Androids un-patched because the operators are not forced to update packages. Google need to change the terms so that operators have to keep devices up to date or install vanilla Android. Yes put on a GUI overlay (say sense for HTC) but have it as an install to the vanilla package and not a HTC / Vodafone double whammy where you can't do anything with your device without rooting it.

    1. S4qFBxkFFg
      FAIL

      Re: What about the operator packages?

      This is, as you highlight, a deplorable state of affairs with a simple(ish) solution.

      Ironically, the best chance of things improving is for there to be some sort of disastrous (and obvious, even in mass media) exploit that the don't-patch-your-old(er)-phones model permits.

      Either lifting millions of banking login details, or using smartphones to serve terrorist/paedophile file networks would suffice.

      "Hackers gut muh monneh!"

      "Turrists!"

      "For the children!"

    2. Anonymous Coward
      Anonymous Coward

      Re: What about the operator packages?

      Another good reason to move to Windows Phone...

      1. Anonymous Coward
        Anonymous Coward

        Re: Windows Phone

        Hahahahahaha, thanks for brightening up my Monday morning

      2. Charlie Clark Silver badge

        Re: What about the operator packages?

        Another good reason to move to Windows Phone...

        Ah, yes. Because if there are no apps, they cannot be infected. Except, of course, for the exploits that successfully target the browser / OS / MS apps.

        Tell you what, why don't you move to North Carolina where you can live happily among others happy to deny reality.

        1. Anonymous Coward
          Anonymous Coward

          Re: What about the operator packages?

          "Because if there are no apps"

          About 180K apps now.

          "Except, of course, for the exploits that successfully target the browser / OS / MS apps."

          You know Windows Phone 8 has had ZERO vulnerabilities? Unlike the hundreds in IOS and Android.

          Even Blackberry 10 was already rooted.

      3. vagabondo
        Linux

        Re: Another good reason to move to

        FLOSS, and signed trusted repositories.

    3. anywherehome
      Megaphone

      Re: What about the operator packages?

      maybe but 99,9999 % are NOT or will NOT be infected because of Google Play ;)

      only iOS there was a time you could hack just through visiting any WWW - Apple is well knows for its very very poor security

      or Windows with its disastrous security

      Android is fortunately still the best, safest among the most popular OSes

      when you cross the street you have to watch left and right...the same with Android + you have freedom

      don't need to worry if you download just from Google Play, so 99,99 % are in safe

  2. frank ly

    No patch for Nexus 4 ?

    When I got a Nexus 4 in January, I thought it was a good idea because I'd have all the latest Android goodness (and patches) delivered direct from Google. It seems I was wrong.

    1. S4qFBxkFFg

      Re: No patch for Nexus 4 ?

      I don't have a Nexus, so not exactly sure how Google's updating process works, but are you sure it's enabled on your device?

      4.3 is only meant to come out in two days - is this the version you're waiting on?

      1. frank ly

        Re: No patch for Nexus 4 ?

        I was offered an update in February, soon after I got the Nexus 4. I've just done a manual check and it tells me, "Your system is up to date". I'll keep waiting.

        1. Danny 14

          Re: No patch for Nexus 4 ?

          I bought a galaxy s2 so I could root it and install what the hell I like. Seems this was a good decision.

  3. I ain't Spartacus Gold badge
    FAIL

    Now don't I remember a story from one of Google's security Oompa-Loompas just a month or so ago? Oh yes, that's right. If nasty vendors don't patch vulnerabilities we find in under 7 days, then we'll publicly reveal them to the world, and it won't be our fault if there are exploits. It'll be their fault for not patching quickly enough.

    Hmmmm. I thought that statement was a bit of a hostage to fortune, given the piss-poor method that Google decided on for Android patching. They really need to sort that out. I've been saying it (and getting downvotes) on and off since I got my first Droid a couple of years ago. It's a great OS, but with some obvious, and quite fucking ludicrous, flaws. Patching and updating being the biggest and obvious-est.

    I wonder if this will prompt them to look at sorting things out? Or are they just going to stick their fingers in their ears and sing "la la la la la".

    There's going to be a big outbreak of something soon, that makes the papers. It only takes that one high-profile story, then they'll start reporting every single problem, and Android's reputation may get trashed incredibly quickly. Like the papers reporting every Dreamliner that turns back and makes an un-scheduled landing, as if that's not something that happens to airliners every day, just because of the one catching fire at Heathrow. It won't take much to knock people's confidence in it, and send them scrurrying back to Apple, or even to Windows Phone/Blackberry, all of which are perfectly fine OSes.

    1. Alister
      Facepalm

      @I ain't Spartacus

      I see you got a downvote for that, for some peculiar reason, so have an upvote to redress the balance.

      1. I ain't Spartacus Gold badge
        Happy

        Re: @I ain't Spartacus

        I see you got a downvote for that, for some peculiar reason, so have an upvote to redress the balance.

        Alister,

        I see that you got a downvote too. Ooops.

        'Tis no surprise. Some of the Android fanbois, make their Apple equivalents look sane. I try my best not to troll, but I get most of my downvotes through making reasonable points about the flaws of Android. And I get loads if I ever dare to suggest that Windows Phone has some good points. Well it does. I've had one, it was fine for a cheap smartphone. No actually, it was bloody excellent for a £100 smartphone, for a full-price £500 job, WP7 would have been severely disappointing though.

        I replaced my Nokia Lumia 710 with a work iPhone 5. Which is also fine. The Lumia was a replacement for the work HTC Wildfire, which was also fine - if under-powered and horribly under-updated. I know that's HTC's fault, not Google's. But it'll be Google that the public and press will blame if/when the malware shit hits the fan.

        I try to be positive, and upvote the good posts, and only downvote total idiots and trolls. Disagreement is fine. I find the fanbois hard to understand. There are no vendors who are perfect, and they're always tempted to put profits ahead of security/updates/customer services.

        I try to be an adult about my tech choices, and practise sensible paranoia, without prejudice for vendors' past misdeeds. Or excessive trust or hero-worship. Which are equally bad. I'll take the tool that does the job, at the right price and required effort.

        In the last couple of months I've recommended an Android tablet to a couple of people, an iPad to at least one, helped a friend choose and set-up the (excellent) Galaxy Note II, and recommended Windows Phone to a couple of people as well. Plus said avoid a tablet and get a laptop to someone else. Horses for courses. But not in lasagne - I'll take my horse casseroled in red wine, with veg, tatties and dumplings thank you.

        1. Down not across

          Re: @I ain't Spartacus

          Sensible comments here? What next? Superfast rural broadband in UK?

          My biggest bugbear with Android is application permission system. To install an app you have to accept whatever permissions the developer has decided, rather than being able to allow/deny/ask as as you see fit.

          Sure you can do that if you root the phone. But my point is that you shouldn't need to root the phone to have better control of the application environment and what the apps can and cannot do. Why can't vanilla Android have a built in application firewall to let you do that? It is not like it would make any odds to Google's profits.

          1. Charles 9

            Re: @I ain't Spartacus

            "Why can't vanilla Android have a built in application firewall to let you do that? It is not like it would make any odds to Google's profits."

            Even if developers feel betrayed by Google and switch back to the Apple Store exclusively? For a good while, many of the best apps went to Apple first, THEN to Android. Might see a rebound of this if devs lose security control.

            1. M Gale

              Re: @I ain't Spartacus

              "Might see a rebound of this if devs lose security control."

              How in hell is letting me block an app from having Internet access causing the dev to "lose security control", whatever that means?

              The dev has no rights over my phone.

              1. Charles 9

                Re: @I ain't Spartacus

                Think ad-based apps. No internet access means no ads. No ads = no revenue = no reason for the dev to release for Android. See the problem?

                And while it's YOUR phone, it's THEIR app. Go their way or go without, and if more people go without, devs again won't see a reason to release for Android, and remember when the security model was first made, Android was the underdog against Apple. They needed a way to attract developers.

                1. M Gale

                  Re: @I ain't Spartacus

                  "No ads = no revenue = no reason for the dev to release for Android. See the problem?"

                  Well then they should make paid versions. Tough shit if there's no network connection. Stop the app from working if you're that bloody minded, but don't dare think you have the right to stop me from disabling your app's access to network resources, or any other resources for that matter.

                  "And while it's YOUR phone, it's THEIR app. Go their way or go without,"

                  ...I frequently do. Rovio's software has no place on my phone until application firewalls are up and running.

                  "and if more people go without, devs again won't see a reason to release for Android,"

                  If people who own a massively popular phone platform are not buying your apps, it is not the fault of the platform. Ditto if you don't offer a paid version.

                  "and remember when the security model was first made, Android was the underdog against Apple. They needed a way to attract developers."

                  Like joining a new app market for a platform that's extremely promising and cheap? Just how do Windows developers make money on a platform where you can easily get firewalls that block apps from network access?

        2. Anonymous Coward
          Anonymous Coward

          Re: @I ain't Spartacus

          "I try my best not to troll, but I get most of my downvotes through making reasonable points about the flaws of Android."

          So because you think it is a reasonable point, no one can disagree. Maybe that's your issue - you don't think you can be disagreed with?

          1. I ain't Spartacus Gold badge

            Re: @I ain't Spartacus

            So because you think it is a reasonable point, no one can disagree. Maybe that's your issue - you don't think you can be disagreed with?

            Nope. I don't expect to get downvoted for making reasonable points. I expect to get disagreed with for that. A post in response to mine saying, 'you are wrong because a', or 'I think b', is entirely welcome. It's the basis for a reasonable discussion.

            There's no point debating with trolls, it's a waste of time. So correct procedure is a quick downvote (if you can be arsed) and move on. If someone posts something that you think is factually inaccurate, or you don't agree with, then the whole point of a discussion thread is to discuss it, so do so. Politely and respectfully would be nice. Then everyone can learn something.

            For example, I've not owned an Android phone for a couple of years, though I've set a couple up for friends, and played with them in shops. So my knowledge is good but rusty, and I've got a couple of things wrong, and been corrected - and hopefully learnt from same. Overall though, I believe I have a good basis for my opinions, having lived with 3 of the 4 main systems.

            However, you didn't bother to disagree with anything I actually said about Android - so can I presume you agreed with it?

            1. Danny 14

              Re: @I ain't Spartacus

              I live in rural cumbria and I can get superfast broadband. I choose 10Mb (get 10mb too) as it is a cheap package.

            2. Anonymous Coward
              Anonymous Coward

              Re: @I ain't Spartacus

              "So correct procedure is..."

              Now you are setting correct procedures for this forum.

              First people can't downvote you if they disagree with your definition of a "reasonable point", then they have to follow *your* correct procedure, then if they don't write a written disagreement they *must* (by some bizarre logic you've mandated) agree with you?

              Wowzers.

              1. I ain't Spartacus Gold badge
                Happy

                Re: @I ain't Spartacus

                Anon,

                Yup. If you want to put it like that, I'll go for it.

                What does a downvote mean? How does it enhance the discussion? I don't think anything I've said here is unreasonable. You're entirely welcome to disagree. If it makes you happy, downvote away. But as I have no idea why I'm getting downvoted, I can't draw any useful information from it.

                Whereas, if you disagree with something anyone's said, please fire up a post. Hopefully this can then be discussed, and we may all reach enlightenment.

                It's all pretty straightforward really.

          2. The_Regulator

            I get down voted all the time for giving opinions about windows 8 and windows phone 8, saying they are actually good to use here is the equivalent of telling someone that you just ran over their cat in your car.

            1. M Gale

              I get down voted all the time for giving opinions about windows 8 and windows phone 8, saying they are actually good to use here is the equivalent of telling someone that you just ran over their cat in your car.

              WP8's UI is just about passable on a phone. On a desktop it's a bloody horror.

              You may think differently, but I honestly don't care what you think. I know what I like and don't like, and Windows 8 is a piece of shit straight out of the Steve Jobs "we know what you want better than you do" school of OS and UI design.

              Problem is, they don't know better.

          3. Jamie Jones Silver badge

            Re: @I ain't Spartacus

            "So because you think it is a reasonable point, no one can disagree. Maybe that's your issue - you don't think you can be disagreed with?"

            Why does disagreeing necessitate downvoting?

            I don't even downvote people who are wrong, unless they are being idiots about it.

            Like non-Spartacus above, I generally only downvote idiots and trolls.

    2. Anonymous Coward
      Anonymous Coward

      "Android's reputation may get trashed incredibly quickly"

      Android is already widely known as Malware Central. At least by anyone that can read....

      1. I ain't Spartacus Gold badge

        Anonymouse,

        There's malware on Android, sure. But if you're not doing anything unusual, like using other app stores, or side-loading, you're pretty unlikely to pick up any nasties. It's not like Windows XP in 2002 for example.

        Although it could theoretically get that way - and with no sensible update mechanism built-in Google would then seriously struggle to fix the problem. The potential for damage to their reputation is enormous, particularly as I don't think their user lock-in is anything like as solid as Microsoft's was/in on the PC market. iOS, Blackberry and Windows Phone are all serious alternatives, given that for most users a phone is just an appliance, and many don't even know what OS they're running.

        I struggled to get 2 ordinary users to understand last week that the iPad/iPhone run the same OS, or that Google's nexus tablets and Samsung's tablets/phones were all running the same OS. Many users still don't think of smart-phones as computers, with similar power to desktops. Many don't even realise (because they've never thought about it) that phones are the same as tablets, but with smaller screens.

        Malware on their phone would come as a rude shock to them. They have an ongoing financial relationship with the carriers, who probably sold them the handset, and they're going to expect more customer service than they get through a PC they picked up from Dixons. Plus journalists love smartphones, and talking about smartphones. It makes them feel relevant and in-touch with da yoof. It will be big news, if it happens. And Google really don't seem to understand customer service. They are riding for a big fall, if they're not careful. In major part, because most smartphone users aren't well informed about the risk of malware on 'Droid.

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        I'm reminded of Windows desktop OS in that it's the most obvious target due to popularity, so it gets all the attention from the baddies. Also, it can grant more control over the device to the user than the iPhone (and possibly Windows Phone/Blackberry, I don't have much experience of them) so if you don't know what you are doing and allow all sorts of stuff to run (clicking through the "Yes, I want this app to be able to make calls and texts"), then you're going to have security issues sooner or later.

        Obviously, this is made worse in that legitimate applications that don't need these permissions often ask for them 'just in case' (Facebook, I'm looking at you here - no I don't want FB Home, so why bolt on FB Home privileges to the regular app? Rhetorical)

        So users don't really know what to do a lot of the time. And that's not good. Am I missing anything?

        Only real response to previous poster is that I doubt the majority of users read about malware and view the security permissions page as an EULA they click through as quickly as possible... Sad, but true. So I doubt Android is widely known as Malware Central...

        1. pigor

          "this is made worse in that legitimate applications that don't need these permissions often ask for them 'just in case' (Facebook, I'm looking at you here"

          Unfortunately Facebook app is not the only one.

          I see more and more legitimate apps asking for more and more permissions that not really needed.

          More annoying is that they rarely, if ever, explain why they do explain why they are requesting such permissions.

          The average user have no clue about permissions and just select yes.

          Ideally the users should be able to choose which of the requested permissions to grant, with "gentle degradation" of the app's features for it.

          But that's just never going to happen (and mainstream users will not have a clue anyway).

          Google should have more strict policies about permissions refusing apps asking for unnecessary permissions. I know by direct experience that Apple Appstore does it and I have to admit that is a good thing for end-users (a bit more problematic for me that I had to do more work to fix my app)

          1. Charles 9

            "Google should have more strict policies about permissions refusing apps asking for unnecessary permissions. I know by direct experience that Apple Appstore does it and I have to admit that is a good thing for end-users (a bit more problematic for me that I had to do more work to fix my app)."

            How about this? For each section of access a program seeks, the developer needs to provide a justification for it. These justifications can be evaluated by Google to see if they match up (if something happens outside the listed justification, the application is rejected), then they can be posted to the Play Store as a "Why?", visible to the user, for each permission an app requests.

  4. Anonymous Coward
    Anonymous Coward

    Android Masterkey?

    Really, I don't see anywhere that the "Android MasterKey" was found in this app? It seems like they duplicated a file?

    The vulnerability itself is a code-signing key bypass...

    This is supposed to be a tech site where the authors actually understand a little bit of tech, is it not?

  5. jnffarrell1

    Telcos and OEM, Amazon and other Android Skinners are Liable

    If they don't want to pay for protecting their customers in real time then some class action lawyer will skin their shareholders or cut up their corporate carcasses after putting them in bankruptcy court.

  6. David Simpson 1

    Actually you can patch this with an app from the Play store - really easy.

    1. G.Y.

      If rooteed

  7. Dave Fox

    Fail again!

    How many times is El Reg going to post that the S4 is the only phone which has been patched against this, when it simply isn't true?

    Using the Blue Box Security Scanner for my devices:

    HTC One - Patched

    Galaxy Note 2 - Patched

    Galaxy Note 8 - Patched

  8. os2baba

    This is NOT a Masterkey exploit

    The presence of two resource files with the same name does not make it a Masterkey exploit, not even a "harmless" vulnerability. The reason CynanogenMod patch flags it is because it's a rather blunt patch. It flags any APK containing two files with the same name. It's a false positive (which is better than not catching a genuine exploit), but this is not a vulnerability. Jay Freeman has an excellent article on this if you want to spend the time reading it. It explains the flaw in great detail and the fix. http://www.saurik.com/id/17

  9. DrXym

    Overblown threat

    The flaw shouldn't be there, but it's not like most people are at risk. The Play store is where the vast majority of users get their stuff and Google can throw any filtering they like on there and weed out signed apps which are shown to use the exploit. They could also throw something into the play services that go onto an android device to scan existing apks for the vuln. I assume other reputable app stores would do likewise.

    And for the disruptable ones, it's not like the signing means a whole lot anyway. Malware authors can do what they like and people who visit are after warez anyway.

  10. Generic Forum User

    Sensationalist clickbait at its finest

    "We understand the applications were reviewed but not removed by Google because they didn't do anything harmful"

    and yet you went ahead and published this sensationalist article anyway. The fact of the matter is that these apps contained duplicate PNGs. There's no harm in that, and yet you insinuate that because these apps exist, "effective screening for the vulnerability is not even taking place on Google's official Play store."

This topic is closed for new posts.

Other stories you might like