An Android Master Key Solution...But
July 24, 2013
By Jack Walsh

Last week I blogged about the “Android Master Key” vulnerability.  Not long after its discovery by Bluebox, the Chinese firm Android Security Squad found a similar Android Master Key vulnerability.  Both vulnerabilities permit adversaries to circumvent the Android app signature verification process after modifying any app.

Google and others expressed the belief that there are no attacks exploiting these vulnerabilities.  In addition, it is widely believed that Google will use its Bouncer service to protect the Google Play app marketplace by scanning for apps aimed at exploiting these two vulnerabilities. 

Time will tell how well that will work. 

Having known about the vulnerability for some time, Google earlier developed a patch.  Because their fix is part of the Android Open Source Project (AOSP), mobile device manufacturers have access to it.  What is unknown is how soon mobile device manufacturers will implement that patch across their many models new and old.  Also, unknown is how soon manufacturers and carriers will deploy the patches to the nearly one billion affected Android devices.  My guess is that it will be a while.

Last week a more sweeping solution appears to have emerged for the 900 million affected Android users.  That solution is an Android app called ReKey.  The ReKey app is the collaborative work of NEU SecLab at Northeastern University and Duo Security. 

Of course, like with so many things with an upside, there is a downside to using the ReKey solution.  In order for it to work its magic, your Android device must be rooted. But as they said on the ReKey website, it was either root your device or have the ReKey app “exploit the unpatched vulnerability in order to gain the privileges needed to patch [it].” 

They came to the conclusion that rooting your device is preferable to “distributing a reliable exploit that could be re-used by malicious parties” because that “may not be in the best interest of public safety”.  We couldn’t agree more. 

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.