The magnitude of Android’s “master key” bug
The Android flaw whose existence was revealed last week by Bluebox Security is as bad as they come.
“Blowing hash and signing functions so that the underlying code can be changed without the hash and sigs changing is horrifyingly atrocious. This is the code equivalent of impersonating a person with a mask so good nobody, not even the real person themselves, can tell the difference,” Peter Biddle, well-known proponent of trusted computing, explained in a blog post.
“The entire value of a chain of trust is that you are limiting the surface area of vulnerability to the code-signing and hashing itself. This bug, if it’s as described, destroys the chain. All bets are off. You’d be better off without the assertions and chain at all: Treat everyone as adversarial and move all critical operations off-device and into something you know you can trust.”
Google has apparently made it impossible to submit to Google Play apps that have been modified to exploit this flaw, and I wonder if the banning of self-updating apps back in April was made to partially counter this attack vector?
Nevertheless, as ESET Senior Research Fellow David Harley says, “it’s not unknown for malicious apps to get onto the Google Play store.”
“Google only validates apps that are submitted to Google Play: however, whereas iGadget users can only install apps from Apple’s App Store unless they jailbreak the device, there are a number of legitimate repositories that Android users can shop from, and apps from those sources are not necessarily validated at all,” he also pointed out.
But many agree that the biggest problem with this flaw is that fixes for it will probably not reach all Android users, as users of older phone models with outdated Android versions already don’t receive updated versions from operators. It will also take quite some time for them to push out patches for newer models.
The only good news in all of this is that the bug hasn’t, so far, been spotted being exploited in the wild.