The words “Master Key bug” would probably send shivers down the spines of anyone who is even remotely concerned about the security of the Android platform and of their devices. It seems that the problem is not yet over as the newly released Android 4.4 is affected by yet another variant of this dreaded Master Key bug.
The bug made headlines in July when Bluebox Security disclosed the vulnerability that could potentially affect 99 percent of all Android devices. The issue is with how Android handles the verification and installation of apps, which has a security hole that will allow malicious people to modify the content of an app without changing the cryptographic signature that is used to ensure the app’s identity. Although Google has been said to have patched the exploit, it is unknown whether those fixes have trickled down to end users via manufacturers and carriers.
Saurik, who develops the Cydia set of security-oriented apps, says that a similar Master Key bug can be found in Android 4.4. Although the strain of this bug is less severe than previous incarnations, it is still strong enough to cause an exploit. Saurik has provided a more detailed analysis of the bug as well example programs that tries to gain access via the bug. Saurik has also updated his Cydia apps that will patch the bug on installed and rooted systems.
The bug has supposedly been fixed as well for Android 4.4, but, as always, the bottleneck will be manufacturers and carriers. While those using Google’s Nexus devices, or even those running custom ROMs, might receive the patch as soon as possible, it might take some time before OEMs roll out an update, in no small part due to the layers of modifications they apply on top of Android.
VIA: AndroidBeat
No comments:
Post a Comment