‘Master Key’ Flaw Puts Data at Risk

As an Android user, I know to take steps to make sure my devices stay secure.

Spear Phishing, Targeted Attacks and Data Breach Trends

The first thing I do whenever I get a new device is download trusted security apps from the official Google Play store. I read the descriptions of the apps and ensure that they scan everything I download for malware.

However, a company called Bluebox Security now warns that Android’s real security problem may not be malware, but instead a vulnerability in how Android verifies changes to an app’s code. This weakness allows hackers to convert any legitimate app into “a malicious Trojan” without notifying Google Play, the phone or the user. Jeff Forristal with Bluebox called it a “master key” into the Android system, putting up to 900 million Android phones at risk. Forristal detailed the issue in this way:

The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

But the really scary part is, this isn’t a new problem. Grayson Milbourne, security intelligence director at Webroot, told me that this flaw has been present in Android devices since 2009. As far as we know, cybercriminals haven’t exploited the vulnerability of the “master key,” but it must be a major security concern for anyone who uses an Android device—except for the Galaxy S4 which, according to Info Security Magazine, has been patched. We know that just because something hasn’t been exploited doesn’t mean it can’t be or won’t be, and in this BYOD world, the “master key” flaw could put both personal and corporate data at risk. Milbourne explained to me:

The key to mobile security is to protect devices from all sides. Consumers and businesses should ensure they have the four corners of mobile security covered: identity protection to protect passwords and other personal information; the ability to automatically block mobile threats from malware and malicious apps, an in-built device locator which helps find your mobile phone if stolen and finally the system installed should be designed to ensure the usability of the device is not forfeited in the name of security – users are more likely to ignore security protection if it hampers the rich features of their device. With these four pillars in place, you form a strong line of defense against cybercrime which will go some way to protecting against the potential threat of the “master key.”

The Google Play store has also been patched so that no contaminated apps can be uploaded to its servers, according to Android Central. And remember, your best bet to keep your Android device safe is to use Google Play for downloads.