Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Master Key Vulnerability Checker Now Live

Posted by timothy on from the free-anonymous-testing dept.

darthcamaro writes "Last week, Rain Forrest Puppy (aka Jeff Forristal) first disclosed the initial public report about an Android Master Key flaw. Code was released earlier this week for attackers to exploit the flaw — but what about users? Google has claimed that it has patched the issue but how do you know if your phone/carrier is safe? Forristal's company now has an app for that. But even if your phone is not patched, don't be too worried that risks are limited if you still to a 'safe' app store like Google Play. 'The only way an Android user can be attacked via this master key flaw is if they download a vulnerable application. "It all comes down to where you get your applications from," Forristal said.'"

12 of 76 comments (clear)

  1. Even the Android fanboys know by MoronGames · · Score: 3, Insightful

    That most phones that are "in the wild" will probably never receive this patch unless they are current flagship devices. That said, do not download things from untrusted sources! That goes for not only smart phones, but computers as well!

    --
    hey!
    1. Re:Even the Android fanboys know by h4rr4r · · Score: 3, Interesting

      1. People seem to not care. This is why I only buy Nexus devices though.
      2. Totally correct.

      I wish google would use their leverage over the android trademarks, not the software, to force updates for X amount of time and a longer amount of time for security patches. The real issue here is the whole carrier model. If you bought your PC from your ISP and they provided all the software for it you would be in the same boat there.

    2. Re:Even the Android fanboys know by h4rr4r · · Score: 2

      What do you think root exploits often are?

      Any APK could contain one and use that to do anything it likes. The only trick would be getting users to install it. Which for most users just means telling them their is a shiny bunny or sexy woman in the application.

    3. Re:Even the Android fanboys know by h4rr4r · · Score: 2

      RageAgainsttheCage was one it, used an adb setuid exhaustion attack, and there was a udev exploit. These were patched in AOSP a long time ago, but some devices never got updates that closed these holes.

      The android app store keeps these things from being put in apps from there, but nothing stops them from ending up in alternative (read pirate) app stores.

      Sure the fact that most people never enable third party apps and stick to the google store keeps them mostly safe. It simply would be better to go ahead and patch the devices as well.

    4. Re:Even the Android fanboys know by somersault · · Score: 3, Funny

      It's in a dialect of English usually known as Careless Autocorrect

      --
      which is totally what she said
  2. Re:Master key? by Andy+Dodd · · Score: 3, Informative

    That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.

    Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.

    --
    retrorocket.o not found, launch anyway?
  3. Re:Is there an App to check for bogus APKs? by Jerry+Atrick · · Score: 2

    It should be easy to catch the package installed/updated broadcast and intercept exploits immediately after they install but before they can execute. About 20lines of Java should do it.

    The other interesting aspect of this exploit is you could automatically strip the malware payload and recover the safe, original apk, or a close enough facsimile of it.

  4. MITM by SirJorgelOfBorgel · · Score: 2

    I'm not sure if this is still true, but I do know that last week the Play store was still using HTTP downloads for the actual APK files instead of HTTPS (even though the API calls do use HTTPS). As such, even downloads from Play may be susceptible to man-in-the-middle attacks. I can't possibly explain it better than this group of comments:

    http://it.slashdot.org/comments.pl?sid=3950207&cid=44220885

    I'm not saying it's likely - but it doesn't seem impossible either. Seeing as it will be a long time before the average Android user will be running a phone with this patch, I would call "crisis averted" too soon. Of course, we don't know if the complete HTTP download is still verified with checksum gotten from the HTTPS API, but somethow I doubt it.

  5. Re:Master key? by jeffmeden · · Score: 2

    That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.

    Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.

    Why should that get in the way of a good story? "Master key" sounds like something that will grant anyone access to your device, any time they want, without your permission, and plays so well with the "Android devices take months/years to get patched" meme. Which is all much more salacious than the reality, considering that only apps intentionally sideloaded by the user (After deactivating the default protection) can run with unchecked permissions, IF you havent gotten the Google Play Store updates yet, which are pushing out with quite rapid speed.

  6. CM 10.1.1 by Riddler+Sensei · · Score: 2

    For those running Cyanogenmod this has been patched in 10.1.1.

  7. It is about the appstore you use. by briancox2 · · Score: 2

    If it's about the appstore you use, then F-droid has a leg up. Unlike Google's, everything on F-Droid has had human eyes look at what it does.

    --
    We should learn what we need to know about issues, before we decide what we need to feel about them.
  8. Re:Permissions by Miamicanes · · Score: 2

    > Simple enough, if your app knows what it needs to do, there is no need for "Full Network Access". I smell scam app.

    Or an app that, like 98% of the free apps in Android Market, embeds Google's ads in the app. Then it needs full network access, coarse location, and read phone state & identity, among other things. It's the killer flaw in Android's permissions system... to serve ads from any common ad network, you have to practically give the app complete access to everything.

    Instead of embedding ad-handling into apps, ad-supported apps should require the installation of a content-provider app for the ad network (common to all apps using it) as a prerequisite, register itself with Android as an ad service provider, then allow apps declaring a permission like "Communicate with Advertising Service" to blindly embed content from that service provider into the app as a black box that the app itself can't influence or communicate with (so an app can't try to leak user information back to its own servers using the ad network as a backdoor). THEN, we could have apps with no app-related need to access the internet that declared only "Communicate with Advertising Service" as a permission, and a separate set of permissions for the Android-firewalled adserver content provider that would be unable to communicate directly with the ad-displaying app.