General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsAndroid ‘Master Key’ Security Hole Puts 99% Of Devices At Risk Of Exploitation
Android Master Key Security Hole Puts 99% Of Devices At Risk Of Exploitation
Mobile security startup Bluebox Security has unearthed a vulnerability in Androids security model which it says means that the nearly 900 million Android phones released in the past four years could be exploited, or some 99% of Android devices. The vulnerability has apparently been around since Android v1.6 (Donut), and was disclosed by the firm to Google back in February. The Samsung Galaxy S4 has already apparently been patched.
Its likely that Google is working on a patch for the vulnerability. Weve reached out to the company for comment and will update this story with any response.
Bluebox intends to detail the flaw at the Black Hat USA conference at the end of this month but in the meanwhile its written a blog delving into some detail. The vulnerability apparently allows a hacker to turn a legitimate app into a malicious Trojan by modifying APK code without breaking the apps cryptographic signature. Bluebox says the flaw exploits discrepancies in how Android apps are cryptographically verified and installed. Specifically it allows a hacker to change an apps code, leaving its cryptographic signature unchanged thereby tricking Android into believing the app itself is unchanged, and allowing the hacker to wreak their merry havoc.
The flaw is made worse if an attacker targets a sub-set of apps developed by device makers themselves, or third parties such as Cisco with its AnyConnect VPN app that work closely with device makers and are granted system UID access. This sub-set of apps can allow a hacker to tap into far more than just mere app data, with the potential to steal passwords and account info and take over the normal running of the phone. Heres how Bluebox explains it:
http://techcrunch.com/2013/07/04/android-security-hole/
longship
(40,416 posts)Sorry. I do not mean the DUer posting the article. I am about the stupid editor who wrote the headline.
It's an operating system bug and they happen all the damned time. Some are more serious than others. The solution is to fix it which is usually a routine matter.
But calling it a "master key" is deceptive as to the character and purpose of the bug. It has no purpose. It's a fucking bug.
Every other news editor should be strangled slowly until this madness stops.
dkf
(37,305 posts)longship
(40,416 posts)Every OS has bugs like this. And NO, none of them are deliberate.
Let's see now. Shall I get my tin foil hat, or some popcorn?
Okay...
dkf
(37,305 posts)Just like the government doesn't intend for us to know anything either.
rhett o rick
(55,981 posts)longship
(40,416 posts)That's why when I administered Internet servers I ran Linux and kept up with the security warnings and updates.
They happened often enough with even secure and reliable OS like Linux that I would check things often and subscribed to all the proper alerts.
Some holes are bigger than others. This one sounds serious. They'll be on it or they'll lose business.
To suggest that this is deliberate is lunacy.
surrealAmerican
(11,361 posts)That would seem a more apt moniker.