Android Master Key Vulnerability Checker Now Live 76
darthcamaro writes "Last week, Rain Forrest Puppy (aka Jeff Forristal) first disclosed the initial public report about an Android Master Key flaw. Code was released earlier this week for attackers to exploit the flaw — but what about users? Google has claimed that it has patched the issue but how do you know if your phone/carrier is safe? Forristal's company now has an app for that. But even if your phone is not patched, don't be too worried that risks are limited if you still to a 'safe' app store like Google Play. 'The only way an Android user can be attacked via this master key flaw is if they download a vulnerable application.
"It all comes down to where you get your applications from," Forristal said.'"
Even the Android fanboys know (Score:4, Insightful)
Re:Even the Android fanboys know (Score:4, Interesting)
1. People seem to not care. This is why I only buy Nexus devices though.
2. Totally correct.
I wish google would use their leverage over the android trademarks, not the software, to force updates for X amount of time and a longer amount of time for security patches. The real issue here is the whole carrier model. If you bought your PC from your ISP and they provided all the software for it you would be in the same boat there.
Re: (Score:2)
1. People seem to not care. This is why I only buy Nexus devices though.
2. Totally correct.
I wish google would use their leverage over the android trademarks, not the software, to force updates for X amount of time and a longer amount of time for security patches. The real issue here is the whole carrier model. If you bought your PC from your ISP and they provided all the software for it you would be in the same boat there.
Except, that is exactly what Google is doing. This vulnerability is being patched by pushing updated apps directly to the phones via the shadowy Google "remote control", and the carriers don't need to do anything about it. My handset was patched as soon as the Google updates started rolling out, and my carrier could care less.
Re: (Score:2)
I more meant for vulnerabilities in the phones non-writeable partitions. /system is normally mounted read only. So if you need to patch something more basic to the OS, I would assume a carrier would be standing in the way.
Re: (Score:3)
What do you think root exploits often are?
Any APK could contain one and use that to do anything it likes. The only trick would be getting users to install it. Which for most users just means telling them their is a shiny bunny or sexy woman in the application.
Re: (Score:3)
RageAgainsttheCage was one it, used an adb setuid exhaustion attack, and there was a udev exploit. These were patched in AOSP a long time ago, but some devices never got updates that closed these holes.
The android app store keeps these things from being put in apps from there, but nothing stops them from ending up in alternative (read pirate) app stores.
Sure the fact that most people never enable third party apps and stick to the google store keeps them mostly safe. It simply would be better to go ahead and
Re: (Score:2)
What do you think root exploits often are?
Any APK could contain one and use that to do anything it likes. The only trick would be getting users to install it. Which for most users just means telling them their is a shiny bunny or sexy woman in the application.
I am very ok with those people getting infected.
Re: (Score:2)
Sexy bunny woman? Where do I click?
WHAR LINK WHARE?
Re: (Score:2)
You are basing this on what exactly?
What OS version are you running?
Re: (Score:1)
I am basing the fact that I am vulnerable on the Bluebox Security Scanner app linked in this article. My Nexus 7 is running Android 4.2.2
Re: (Score:2)
Ditto. My Nexus 4 has never received an OS update (unless it does this silently, which My old Nexus One never did).
Anyway, it's running 4.2.2 with a build date back in January.
Re: (Score:2)
That said, and even though I'm rooted (hey, is that why I haven't gotten any updates - I'm still on the stock ROM), I don't believe I've been hit by this exploit. Has anyone?
Re: (Score:2)
So the mere risk of something bad happening means you have to give up control to someone else? It's almost like personal responsibility is totally dead!
Re: (Score:2, Insightful)
That hot coffee lawsuit was not frivolous. This is an urban legend, they had been cited many times since it was too hot to safely drink. She suffered serious burns and required skin grafts.
Personal health insurance mandates are personal responsibility. You not having insurance and using the ER then skipping on the bill costs me and other insured folks money.
Unemployment does not last forever, and employed folks are paying for it. I sure as hell expect to be able to collect from an insurance policy I buy.
Re: (Score:2)
Re: (Score:2)
The coffee was undrinkable, it would have cooked your insides.
You can't sell a product not fit for purpose. Personal responsibility would have been McDonalds covering all her bills and giving her a nice settlement with no lawsuit. Instead McDonalds wanted someone else to cover their debts.
Re: (Score:2)
Re: (Score:2)
With great power comes great responsibility.
Re: (Score:1)
Re:Even the Android fanboys know (Score:4, Funny)
It's in a dialect of English usually known as Careless Autocorrect
Re: (Score:2)
Your smart phone IS a computer, FFS.
My new G3 has a dual-core 1.5GHz processor, 2G RAM, and 80G of SSD on a 720-line display.
My old netbook has a dual-core 1.5GHz processor, 2G RAM, 256 SSD and a 600-line display. (Until a month ago, it was my primary computer.)
They both run Linux (CM and Ubuntu, respectively). They both play movies. The phone will play better games than the netbook. I can carry the phone around and have it track my bike rides and runs.
They aren't phones. They're socially acceptable co
Split-screen (Score:2)
Re: (Score:2)
That said, do not download things from untrusted sources!
Especially a thing claiming to be "Vulnerability Checker".
Re: (Score:1)
Is there an App to check for bogus APKs? (Score:2)
For people who are stuck with vulnerable phones it should be possible for an app to scan the .apk you are considering side-loading and checking if it is a trojan using this particular vulnerability.
Re: (Score:3)
It should be easy to catch the package installed/updated broadcast and intercept exploits immediately after they install but before they can execute. About 20lines of Java should do it.
The other interesting aspect of this exploit is you could automatically strip the malware payload and recover the safe, original apk, or a close enough facsimile of it.
Re: (Score:2)
If they have any sense the built in scanning will detect the malformed APK before allowing it anywhere near the installer service... it is trivially easy to detect.
Re: (Score:2)
I would assume opening the file in your favourite zip tool and checking there is only one classes.dex file should be sufficient.
Master key? (Score:1)
AFAIK the actual exploit is using duplicate filenames which aren't checked against hashes upon installation of apk...
Re:Master key? (Score:4, Informative)
That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.
Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.
Re: (Score:3)
That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.
Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.
Why should that get in the way of a good story? "Master key" sounds like something that will grant anyone access to your device, any time they want, without your permission, and plays so well with the "Android devices take months/years to get patched" meme. Which is all much more salacious than the reality, considering that only apps intentionally sideloaded by the user (After deactivating the default protection) can run with unchecked permissions, IF you havent gotten the Google Play Store updates yet, w
Re: (Score:2)
Re: (Score:2)
" The AOSP patch addresses the part of Jellybean that verifies the cryptographic signature of sideloaded apps. That has to be updated on the device end--it's the "Verify Apps" option in the security menu."
Nope. Those are two separate things. The "Verify Apps" operation applies some or all of the same Play Store checks to sideloaded apps, and I believe is only available with gapps installed (I'll poke at that this weekend.)
The signature verification is part of the core Android system (even without gapps) a
MITM (Score:3)
I'm not sure if this is still true, but I do know that last week the Play store was still using HTTP downloads for the actual APK files instead of HTTPS (even though the API calls do use HTTPS). As such, even downloads from Play may be susceptible to man-in-the-middle attacks. I can't possibly explain it better than this group of comments:
http://it.slashdot.org/comments.pl?sid=3950207&cid=44220885 [slashdot.org]
I'm not saying it's likely - but it doesn't seem impossible either. Seeing as it will be a long time before the average Android user will be running a phone with this patch, I would call "crisis averted" too soon. Of course, we don't know if the complete HTTP download is still verified with checksum gotten from the HTTPS API, but somethow I doubt it.
Re: (Score:2)
I tried Googling this issue, and I couldn't find any sources to back it up. Seems like someone would have mentioned it...
Try Bing. ;)
Re: (Score:2)
I'm not sure if this is still true, but I do know that last week the Play store was still using HTTP downloads for the actual APK files instead of HTTPS (even though the API calls do use HTTPS). As such, even downloads from Play may be susceptible to man-in-the-middle attacks. I can't possibly explain it better than this group of comments:
http://it.slashdot.org/comments.pl?sid=3950207&cid=44220885 [slashdot.org]
I'm not saying it's likely - but it doesn't seem impossible either. Seeing as it will be a long time before the average Android user will be running a phone with this patch, I would call "crisis averted" too soon. Of course, we don't know if the complete HTTP download is still verified with checksum gotten from the HTTPS API, but somethow I doubt it.
A feature at the request of the NSA or your local union spook agency.
Re: (Score:1)
And what prevents you from doing this with any executable file format, be it APK, EXE, ELF or JAR? Diassemblers, unpackers and resource editors exist for all of those file formats. If you can run it, you can edit it, unless the format/architecture is totally undocumented.
Re: (Score:2)
The signing isn't meant to stop that, it's meant to stop updates to installed apps being replaced by malware. Re-signing won't let you update an installed app, you have to trick the user into uninstalling first. Which usefully can't be done for system apps by non-rooted users. Can't directly be done by any user.
Ultimately all signing does is verify that your still dealing with the packager of the existing installed copy. The chain of trust still depends on trusting the first install, with this bug you're no
Establishing trust through SSL CAs (Score:2)
The chain of trust still depends on trusting the first install
There are ways to establish trust for the first install even if it is not from Google Play Store. For example, if I download the APK of VLC from https://www.videolan.org/ [videolan.org] then I'm piggybacking on the SSL CA infrastructure, which assures me of one of the following:
How likely are the scenarios other than A?
Conflict of interest? (Score:2)
In some strange way Google is having the cake (open and competing app stores, instead of the total lo
Re: (Score:2)
Re: (Score:1)
Android is a phone for ordinary consumers. 13 year old girls, middle aged builders, grandparents, everybody. Do they all know that "Full Network Access" is a clue that it might be a scam app?
Re: (Score:2)
A lot of people don't read that.
My co-worker has a taxi company's app. They want full permission for everything. I didn't load it.
https://play.google.com/store/apps/details?id=com.appbuilder.u66459p124918 [google.com]
Same with the Cineplex app. Way too many permissions for something that's just showing a ticket:
https://play.google.com/store/apps/details?id=com.fivemobile.cineplex&hl=en [google.com]
Privately (Score:2)
Permission rationales (Score:2)
Re: (Score:3)
> Simple enough, if your app knows what it needs to do, there is no need for "Full Network Access". I smell scam app.
Or an app that, like 98% of the free apps in Android Market, embeds Google's ads in the app. Then it needs full network access, coarse location, and read phone state & identity, among other things. It's the killer flaw in Android's permissions system... to serve ads from any common ad network, you have to practically give the app complete access to everything.
Instead of embedding ad-ha
CM 10.1.1 (Score:3)
For those running Cyanogenmod this has been patched in 10.1.1 [get.cm].
Re: (Score:2)
Here's the scary part -- 10.1.0rc5 is STILL the latest non-nightly build you can get for d2att (AT&T Galaxy S3), and it's ABSOLUTELY still vulnerable. I just ran the checker app now. :-(
Re: (Score:2)
Huh, are these d2att stable builds [get.cm] not what you're looking for?
It is about the appstore you use. (Score:3)
Re: (Score:2)
F-Droid, games, and anti-features (Score:2)