Making sense of the latest Android ‘Master Key’ security scare

There’s been a fair bit of FUD being circulated about the latest Android exploit (Bug #8219321), namely that the cryptographic key which generates signatures for apps can be bypassed, allowing for undetectable modifications to core functions. Usually there are dozens of exploits being found every week on every platform, but this one has been everywhere. Some things to note:

* If you have enabled ‘Allow Unknown Sources’ in the settings menu to allow side-loading of APKs, pressed OK through the warning it gives you about potential security risks, AND you have downloaded a malicious APK from a third-party source and installed it, then you might be vulnerable. If you haven’t enabled this option, then don’t worry. Keep on keeping on.

* The vulnerability cannot be exploited by any apps downloaded from the official Play Store. It has been patched since it was revealed in February. This means for the vast majority of people, it’s business as usual. 

* The exploit is fairly niche in that it cannot be performed if you’re in proximity to somebody (unlike, say, a wifi-spoofing MITM attack on iOS). It requires the end-user to take active steps to initiate the malicious program. 

What I found entertaining was the amount of fear-mongering that some click-baiting ‘news’ sites generated, especially the more tabloid oriented ones. There were claims that all Play Store apps were affected, there were calls to immediately remove all apps from phones (thereby rendering them next to useless), mostly from non-tech ‘journalists’ who didn’t bother to spend a few minutes on researching the topic.

The sad thing is, this helps nobody – the methodology hasn’t been explained or verified in detail, and it causes non-technical end users to panic and do stupid things for no reason. But hey, why let the truth get in the way of some juicy headlines?  

It’s also worth noting that Bluebox is a VC-funded security-focused startup that sells security packages. All the same, on the bright side – this is how it should be – exploit is found, vendor is notified, exploit is demonstrated (in this case it will be demonstrated at Black Hat 2013). 

Making sense of the latest Android ‘Master Key’ security scare | Android Central


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s