Forgot your password?
typodupeerror
Security Android Cellphones Handhelds

Android Master Key Vulnerability Checker Now Live 76

Posted by timothy
from the free-anonymous-testing dept.
darthcamaro writes "Last week, Rain Forrest Puppy (aka Jeff Forristal) first disclosed the initial public report about an Android Master Key flaw. Code was released earlier this week for attackers to exploit the flaw — but what about users? Google has claimed that it has patched the issue but how do you know if your phone/carrier is safe? Forristal's company now has an app for that. But even if your phone is not patched, don't be too worried that risks are limited if you still to a 'safe' app store like Google Play. 'The only way an Android user can be attacked via this master key flaw is if they download a vulnerable application. "It all comes down to where you get your applications from," Forristal said.'"
This discussion has been archived. No new comments can be posted.

Android Master Key Vulnerability Checker Now Live

Comments Filter:
  • by MoronGames (632186) <cam.henlinNO@SPAMgmail.com> on Thursday July 11, 2013 @10:16AM (#44250175) Journal
    That most phones that are "in the wild" will probably never receive this patch unless they are current flagship devices. That said, do not download things from untrusted sources! That goes for not only smart phones, but computers as well!
    • by h4rr4r (612664) on Thursday July 11, 2013 @10:25AM (#44250293)

      1. People seem to not care. This is why I only buy Nexus devices though.
      2. Totally correct.

      I wish google would use their leverage over the android trademarks, not the software, to force updates for X amount of time and a longer amount of time for security patches. The real issue here is the whole carrier model. If you bought your PC from your ISP and they provided all the software for it you would be in the same boat there.

      • by jeffmeden (135043)

        1. People seem to not care. This is why I only buy Nexus devices though.
        2. Totally correct.

        I wish google would use their leverage over the android trademarks, not the software, to force updates for X amount of time and a longer amount of time for security patches. The real issue here is the whole carrier model. If you bought your PC from your ISP and they provided all the software for it you would be in the same boat there.

        Except, that is exactly what Google is doing. This vulnerability is being patched by pushing updated apps directly to the phones via the shadowy Google "remote control", and the carriers don't need to do anything about it. My handset was patched as soon as the Google updates started rolling out, and my carrier could care less.

        • by h4rr4r (612664)

          I more meant for vulnerabilities in the phones non-writeable partitions. /system is normally mounted read only. So if you need to patch something more basic to the OS, I would assume a carrier would be standing in the way.

    • Your smart phone IS a computer, FFS.

      My new G3 has a dual-core 1.5GHz processor, 2G RAM, and 80G of SSD on a 720-line display.

      My old netbook has a dual-core 1.5GHz processor, 2G RAM, 256 SSD and a 600-line display. (Until a month ago, it was my primary computer.)

      They both run Linux (CM and Ubuntu, respectively). They both play movies. The phone will play better games than the netbook. I can carry the phone around and have it track my bike rides and runs.

      They aren't phones. They're socially acceptable co

      • I agree that an Android smartphone is a personal computer. But when you plug your smartphone into an HDMI cable, how many windows can you keep open on the screen at once? Like you, I own an Android device and an Ubuntu netbook, in my case a Dell Inspiron mini 1012. When I'm programming on my netbook while riding the bus to and from work, I routinely split the screen down the middle to see the source code on the left and the output, another source code file, or documentation on the right. I imagine that even
    • by Beorytis (1014777)

      That said, do not download things from untrusted sources!

      Especially a thing claiming to be "Vulnerability Checker".

    • I only ever install from the Play Store with the single exception of the Avast Anti-Theft app. While Avast AV itself comes from the Play Store, I have to enable the option for downloading from untrusted sources to get the Anti-Theft portion. Why is that? (It seems poor design, but I assume there's a good reason.) I figure that if I trust Avast for AV than I should be able to trust their instructions for Anti-Theft. I always disable the untrusted sources feature immediately after the install/update, but
  • For people who are stuck with vulnerable phones it should be possible for an app to scan the .apk you are considering side-loading and checking if it is a trojan using this particular vulnerability.

    • It should be easy to catch the package installed/updated broadcast and intercept exploits immediately after they install but before they can execute. About 20lines of Java should do it.

      The other interesting aspect of this exploit is you could automatically strip the malware payload and recover the safe, original apk, or a close enough facsimile of it.

    • by raburton (1281780)

      I would assume opening the file in your favourite zip tool and checking there is only one classes.dex file should be sufficient.

  • I have no idea what the mentioned 'master key' is supposed to be.
    AFAIK the actual exploit is using duplicate filenames which aren't checked against hashes upon installation of apk...
    • Re:Master key? (Score:4, Informative)

      by Andy Dodd (701) <[atd7] [at] [cornell.edu]> on Thursday July 11, 2013 @10:23AM (#44250273) Homepage

      That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.

      Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.

      • by jeffmeden (135043)

        That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.

        Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.

        Why should that get in the way of a good story? "Master key" sounds like something that will grant anyone access to your device, any time they want, without your permission, and plays so well with the "Android devices take months/years to get patched" meme. Which is all much more salacious than the reality, considering that only apps intentionally sideloaded by the user (After deactivating the default protection) can run with unchecked permissions, IF you havent gotten the Google Play Store updates yet, w

      • My understanding is that the Play store was patched, so this vulnerability can't be exploited for apps uploaded to and downloaded from there. The AOSP patch addresses the part of Jellybean that verifies the cryptographic signature of sideloaded apps. That has to be updated on the device end--it's the "Verify Apps" option in the security menu. It's not part (yet?) of Google Play Services; it works without GApps installed. However, if you don't download .apk's from the internet, which 99.9% of people don'
        • by Andy Dodd (701)

          " The AOSP patch addresses the part of Jellybean that verifies the cryptographic signature of sideloaded apps. That has to be updated on the device end--it's the "Verify Apps" option in the security menu."

          Nope. Those are two separate things. The "Verify Apps" operation applies some or all of the same Play Store checks to sideloaded apps, and I believe is only available with gapps installed (I'll poke at that this weekend.)

          The signature verification is part of the core Android system (even without gapps) a

  • by SirJorgelOfBorgel (897488) on Thursday July 11, 2013 @10:28AM (#44250337)

    I'm not sure if this is still true, but I do know that last week the Play store was still using HTTP downloads for the actual APK files instead of HTTPS (even though the API calls do use HTTPS). As such, even downloads from Play may be susceptible to man-in-the-middle attacks. I can't possibly explain it better than this group of comments:

    http://it.slashdot.org/comments.pl?sid=3950207&cid=44220885 [slashdot.org]

    I'm not saying it's likely - but it doesn't seem impossible either. Seeing as it will be a long time before the average Android user will be running a phone with this patch, I would call "crisis averted" too soon. Of course, we don't know if the complete HTTP download is still verified with checksum gotten from the HTTPS API, but somethow I doubt it.

    • by Applekid (993327)

      I'm not sure if this is still true, but I do know that last week the Play store was still using HTTP downloads for the actual APK files instead of HTTPS (even though the API calls do use HTTPS). As such, even downloads from Play may be susceptible to man-in-the-middle attacks. I can't possibly explain it better than this group of comments:

      http://it.slashdot.org/comments.pl?sid=3950207&cid=44220885 [slashdot.org]

      I'm not saying it's likely - but it doesn't seem impossible either. Seeing as it will be a long time before the average Android user will be running a phone with this patch, I would call "crisis averted" too soon. Of course, we don't know if the complete HTTP download is still verified with checksum gotten from the HTTPS API, but somethow I doubt it.

      A feature at the request of the NSA or your local union spook agency.

  • So this flaw affects mostly app stores competing with Google marketplace. Not fixing this bug would give an edge to Google's marketplace. Though it is orders of magnitude different, this was similar to a situation early in the days of IE-vs-Netscape fights in the early days.( IIS and IE would work around each other's bugs making other web servers and browsers appear to be broken). How is Google handling it?

    In some strange way Google is having the cake (open and competing app stores, instead of the total lo

    • by Merk42 (1906718)
      The flaw doesn't affect 3rd party app stores any more than it does Google's. The issue is that an app store could host an app that takes advantage of said bug. As the Play Store is the most trustworthy to not do this, it is the recommended store.
  • by Riddler Sensei (979333) on Thursday July 11, 2013 @11:24AM (#44251039)

    For those running Cyanogenmod this has been patched in 10.1.1 [get.cm].

  • by briancox2 (2417470) on Thursday July 11, 2013 @11:29AM (#44251103) Homepage Journal
    If it's about the appstore you use, then F-droid has a leg up. Unlike Google's, everything on F-Droid has had human eyes look at what it does.
    • According to this post [f-droid.org], using any of the anti-features [f-droid.org] will hide an application from most users. How should one fund the development of, say, a video game to be distributed to users who have switched to F-Droid without putting in ads (which requires the "Ads" anti-feature) or charging for mission packs after the first (which requires the "NonFreeAdd" anti-feature)?

The only thing cheaper than hardware is talk.

Working...