'Master key' to Android phones uncovered

[Dari]

Really, guys? I had to find this on the BBC website? Not here or any other websites? And days late, I might add. This is a serious issue and no one in the tech world is talking about it? Disappointed...

LINK

'Master key' to Android phones uncovered

A "master key" that could give cyber-thieves unfettered access to almost any

Android phone has been discovered by security research firm BlueBox.

The bug could be exploited to let an attacker do what they want to a phone

including stealing data, eavesdropping or using it to send junk messages.

The loophole has been present in every version of the Android operating system

released since 2009.

Google said it currently had no comment to make on BlueBox's discovery.

Writing on the BlueBox blog, Jeff Forristal, said the implications of the

discovery were "huge".

The bug emerges because of the way Android handles cryptographic verification

of the programs installed on the phone.

Android uses the cryptographic signature as a way to check that an app or

program is legitimate and to ensure it has not been tampered with. Mr Forristal

and his colleagues have found a method of tricking the way Android checks

these signatures so malicious changes to apps go unnoticed.

Any app or program written to exploit the bug would enjoy the same access to

a phone that the legitimate version of that application enjoyed.

"It can essentially take over the normal functioning of the phone and control

any function thereof," wrote Mr Forristal. BlueBox reported finding the bug to

Google in February. Mr Forristal is planning to reveal more information about

the problem at the Black Hat hacker conference being held in August this year.

Marc Rogers, principal security researcher at mobile security firm Lookout said

it had replicated the attack and its ability to compromise Android apps.

Mr Rogers added that Google had been informed about the bug by Mr Forristal

and had added checking systems to its Play store to spot and stop apps that

had been tampered with in this way.

The danger from the loophole remains theoretical because, as yet, there is no

evidence that it is being exploited by cyber-thieves.

 

[NikolaeVarius]

We've talked about this a week ago, and it is only an issue if

a) you don't use google play
b) you sideload apps from the shadiest websites ever and intentially bypass all android security.

So understand the issue and don't just repost things that was found to be a nonissue already a while ago.

Literally almost every single android "vulnerability" can be cured by "stop installing side loaded apps from websites that are shady and stop bypassing every single Android security measure"

 

[aceO07]

This article/news has been on A LOT of websites a few days ago. A quick google search will show you that. If you don't read those sites, then you probably missed it.

It of course still relies on you installing the app with the key and in most cases people will install from the App Store. Having the master key doesn't magically give access to all Android phones in the world.

Also, I'm not sure if the original article from Bluebox (http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/) states that the real master key was found, just that it would be used for escalated access.

I think we'll have to wait until Black Hat USA 2013, in a couple of weeks, to see if they have the real master key, or if they were just doing proof of concept on a modified Android build.

 

[Chocu1a]

Read about this last week(Android Central). Not really an issue for the majority of android users. Just don't side-load apps. In reality, there is not one single person I know right now that knows enough to check the box for installing from unknown sources.

 

[WelshBloke]

Dari, you should be championing the Samsung S4. It's the only android phone that's fixed.

 

[Dari]

Dari, you should be championing the Samsung S4. It's the only android phone that's fixed.

Is that true? If so, then that's great (for those that have it). For the rest of us, are we f&%$#d?

As for everyone hearing about this since last week, how come no one decided to post it here? I think it's important.

 

[rcpratt]

Is that true? If so, then that's great (for those that have it). For the rest of us, are we f&%$#d?

As for everyone hearing about this since last week, how come no one decided to post it here? I think it's important.

Nobody else is as smart as you, that's why.

 

[NikolaeVarius]

Is that true? If so, then that's great (for those that have it). For the rest of us, are we f&%$#d?

As for everyone hearing about this since last week, how come no one decided to post it here? I think it's important.

They did.

And no one gave a shit because it isn't an issue unless you do stupid things.

 

[Slick5150]

Read about this last week(Android Central). Not really an issue for the majority of android users. Just don't side-load apps. In reality, there is not one single person I know right now that knows enough to check the box for installing from unknown sources.

Lots of people use the Amazon app store on their phones, which shows you how to check that box as a requirement of using it.

 

[Red Storm]

And no one gave a shit because it isn't an issue unless you do stupid things.

This. It's like calling for a major outcry because it's possible to infect your computer... if you go to extremely shady sites and downloads random exe files.

 

[poofyhairguy]

No known implementations exist so I think we are safe. If anything is shows how Google can maintain control of its ecosystem without a 10 foot high cinder-blocked garden.

Lots of people use the Amazon app store on their phones, which shows you how to check that box as a requirement of using it.

I do wonder if Amazon will work in the same fix to their store. The Amazon store is so much worse.

 

[darkewaffle]

"Master Key" is a complete misnomer given the content of the article.

 

[zerogear]

Sensationalism to bring readers.

 

[BigDaddyD]

Not for nothing, but I did even know about the feature about download from unknown sources until I needed to download an app from Becker CPA. Their CPA review package is very expensive and their app is a separate cost. I have it on the Ipad and on my droid. It is mandatory to check the download from unknown sources boxes in order to get it from them. Since I didn't know about that feature I had to keep calling them and yelling at them about their defective app until they explained it to me...lol.

 

[Apex]

We've talked about this a week ago, and it is only an issue if

a) you don't use google play
b) you sideload apps from the shadiest websites ever and intentially bypass all android security.

So understand the issue and don't just repost things that was found to be a nonissue already a while ago.

Literally almost every single android "vulnerability" can be cured by "stop installing side loaded apps from websites that are shady and stop bypassing every single Android security measure"

Also:

c) you uncheck "Verify apps" in the security section of your settings.

Google backported verify apps via a Play update, all the way back to Gingerbread (AOSP, so no device manufacturer action necessary). Even if you choose to sideload through unknown sources, by default, the device will request verification through Google Play before installing. You'd have to turn that off manually for it not to get caught.

Sadly, the 4% or so of folks still on Donut, Eclair, and Froyo probably won't ever get officially patched.

How many of you Anandtech folks are still on Android 1.6, 2.1, or 2.2?

 

[Ravynmagi]

How many of you Anandtech folks are still on Android 1.6, 2.1, or 2.2?

My Galaxy S Vibrant is still on 2.2. Thanks T-Mobile!

 

[thecapsaicinkid]

Doesn't this only affect the people who'll download a supposed updated stock app from dodgy websites without giving a second thought to its origin? Like all the people who side-loaded Play store apks when Google pushed the new re-design. Or those who downloaded the leaked Samsung Android '4.3'.

Tbh you could probably achieve the same thing hosting a malicious apk labeled as "Secret leaked Gmail beta 6.0!!"

 

[Dari]

They did.

And no one gave a shit because it isn't an issue unless you do stupid things.

So you're saying it's impossible for malicious apps to end up in the Play Store? Even Apple has had malicious apps in their stores...

 

[Red Storm]

So you're saying it's impossible for malicious apps to end up in the Play Store? Even Apple has had malicious apps in their stores...

This thread, your OP, has nothing to do with apps in the Play Store.

 

[ibex333]

We've talked about this a week ago, and it is only an issue if


b) you sideload apps from the shadiest websites ever and intentially bypass all android security.

And that is like what? 99.9% of ALL android users?

Seriously.. Who the hell BUYS apps these days?

On a serious note though, with constant sales happening and more and more free apps appearing, there really no need to get pirated apps anymore. At least not unless you're someone who just has to have everything out there. But still there are quite a few people who share or download illegally downloaded .apk files.

 

[Crono]

And that is like what? 99.9% of ALL android users?

Seriously.. Who the hell BUYS apps these days?

On a serious note though, with constant sales happening and more and more free apps appearing, there really no need to get pirated apps anymore. At least not unless you're someone who just has to have everything out there. But still there are quite a few people who share or download illegally downloaded .apk files.

I buy apps and stay within the Play store.

It's not like I don't know how to pirate, I just prefer to purchase apps. I've got about a few dozen apps combined between Google Play, Windows Phone, and the App Store. Most of the apps on my HTC One are free, but I've shelled out cash for RadarScope, SwiftKey, Poweramp, and Toca Hair Salon 2 in the past month.

 

[Red Storm]

And that is like what? 99.9% of ALL android users

Whose ass did you pull that number out of?

 

[WelshBloke]

Whose ass did you pull that number out of?

He was making a funny. Admittedly it wasn't very funny but I don't think that he meant anyone to take it seriously.

 

[Dumac]

And can't the app only act within its specified permissions? I.E. you have to press okay to give that app access to whatever aspects of your phone.

Not to mention, a lot of critical aspects can't even be affected by an app. You could just wipe the phone in the worst case.

 

[Ravynmagi]

And can't the app only act within its specified permissions? I.E. you have to press okay to give that app access to whatever aspects of your phone.

Not to mention, a lot of critical aspects can't even be affected by an app. You could just wipe the phone in the worst case.

Unfortunately I don't think the permission thing is really much use anymore since it seems like every app these days asks for everything. Facebook probably asked for permission to smash my nuts and I'd just accept it without noticing.

I'm putting a lot of trust in Google Play to not have an app really smash my nuts or worse.