What to do about “master key” security flaw in Android?

landon

Apparently a significant security risk has been found in Android devices going all the way back to version 1.6. According to the folks at Bluebox security that found it, the flaw can be used to completely take over your Android phone, access passwords, and do lots of other unsavory things. As much as I like Android, rapid patches are not something that I would call common, so I assume this will be an issue for some time to come. What can be done to minimize risk in the meantime?

Topic: Security
Answer this Question

Answers

4 total
Christopher Nerney
Vote Up (11)

If you have a Samsung Galaxy S4, you're in luck because the South Korean manufacturer reportedly has produced a patch for that device, with Google and other Android device makers working on their own. Otherwise, here's what Bluebox recommends:

 

  • Device owners should be extra cautious in identifying the publisher of the app they want to download.
  • Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
  • IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.

 

 

jimlynch
Vote Up (10)

Relax: Google, Carriers Patching Android "Master Key" Exploit
http://www.tomshardware.com/news/Donut-Master-Key-Bluebox-Security-Explo...

"Now it seems that Google and wireless carriers are finally getting around to rolling out a security fix. Verizon Wireless is now issuing an OTA update from Motorola for the DROID RAZER HD and MAXX HD (pdf), but it's not the 4.2.2. update customers have been waiting for. Instead, it's a small 50 MB patch (v9.20.1.XT926) that reportedly enhances GPS reliability, data metering and Bluetooth connectivity, fixes a few SMS bugs and updates the Backup Assistant and SMARTACTIONS apps. It also supposedly fixes the four year-old "Master Key" security hole described by Forristal on the device level.

Gina Scigliano, Google's Android Communications Manager, confirmed with ZDNet that OEMs are now distributing patches to plug the Bluebox security hole. She also assured device owners that Google has not seen any signs of exploitation on Google Play and other Android app stores."

PapaRiver
Vote Up (9)

Google has released a patch to fix the flaw and has shared it will Android manufacturers. I’m sure that now we will all be getting updates promptly. Oh, wait.....no I’m not. 

wstark
Vote Up (7)

I like Christopher’s solution to get an S4 without the issue....except the unfortunate paying for it part. Otherwise, choose the apps you install carefully, and if possible install them from Google Play. A CIO article last week said that Google had already made changes to Play that removed any apps that exploit this, so there is attention being paid to the issue. As someone who sideloads a lot of apps from non-Play sources, news of this security hole is an issue of concern for personal use as well as from a BYOD perspective.

Ask a question

Join Now or Sign In to ask a question.
Security researchers have recently found a vulnerability that could be used to hijack Android apps and devices, but an older issue that can have the same effect remains a significant threat nearly two years after its discovery, according to security firm Bromium.
Malicious hackers are using remote access tools to break into retail point-of-sale systems and plant malware on them, the Department of Homeland Security warned.
A new program that encrypts files to extort money from users highlights that attackers don't need advanced programming skills to create dangerous and effective ransomware threats, especially when strong encryption technology is freely available.
Privacy campaign group Europe-v-Facebook is inviting Facebook users outside the U.S. and Canada to join a lawsuit against the company, which it alleges violates privacy laws.
The team at Mitro Labs, the developer of a password manager, is joining Twitter, and its software is being released under a free and open source license, Mitro said Thursday.
The latest release of a Microsoft security tool that's designed to stop exploits lets administrators control when third-party plugins are launched, a long favored route for attackers.
Some of those seeking to scrub their histories from the Web under Europe's "right to be forgotten" rule are being economical with the truth when making their requests, Google said Thursday.
Most USB devices have a fundamental security weakness that can be exploited to infect computers with malware in a way that cannot easily be prevented or detected, security researchers found.
A U.S. district court judge has ruled against Microsoft in the company's effort to oppose a U.S. government search warrant for emails stored in Ireland.
Hackers attacked the infrastructure of Tor, the anonymizing service, earlier this month in an incident that may have compromised a number of hidden services, according to an announcement posted today by the Tor Project's director, Roger Dingledine.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

randomness