Inside the Bluebox Android Master Key Vulnerability
Are you at risk for an Android vulnerability that involves the verification process for the popular OS? Find out!
Every security researcher dreams of the day they can find one master vulnerability that acts like a skeleton key to unlock an entire system. Jeff Forristal, aka Rain Forest Puppy, has found this kind of vulnerability in Android, the wildly popular mobile operating system.
The vulnerability involves a feature that is intended to actually help secure Android. The problem resides in how Android verifies JAR/ZIP/APK files, which run on Android devices.
"The verification is relevant to enforcing and enacting the entire Android security model," Forristal told eSecurity Planet. "So what we're really saying here is that the entire Android security model is broken."
Forristal explained that Google Android applications use a cryptographic verification to sign the hash of various files. The flaw resides in the verification process itself as opposed to any specific cryptographic key or algorithm.
"It is a flaw in the Android code that runs on Android devices that actually performs the verification at the point in time that an app is installed," Forristal said.
Disclosure and Patch Code
Forristal first responsibly disclosed the flaw to Google in February of this year. It is currently known by Google as Android security bug 8219321.
The flaw is present in all versions of Android from 1.6 forward. Forristal said that all of Google's Open Handset Alliance Android partners got the patch code in March. The patch has now also surfaced in the CyanogenMod, after-market firmware for rooted Android devices.
Forristal stressed that bug finders and vendors should always actively communicate and take the time necessary to move forward and manage the risk from reported flaws.
In the case of this master key flaw, Google initially set the timeline for disclosure at 90 days, with the idea being that by June many Android ecosystem partners would already have fixes out to users.
Android Download Danger
The only way an Android user can be attacked via this master key flaw is if they download a vulnerable application.
"It all comes down to where you get your applications from," Forristal said.
That means if a user gets their applications from trusted sources like Google Play, the risk of the master key exploit is not high, even if the given device has not been updated with the latest patched Android code. Forristal noted that he has seen reports that he has not been able to independently verify, that indicate Google is already scanning apps in the Play store to mitigate risk.
A recent study from Juniper found that the vast majority of all Android malware is derived from non-Google Play app stores. Forristal noted that many users get their apps from place other than Google Play. For example, both Samsung and HTC have their own app stores that are typically installed by default on phones and it's not entirely clear what the scanning policies are for those.
Forristal's security firm Bluebox is still technically in its stealth mode of operation. In March of this year, Bluebox released a tool called Dexter, a free service that helps researchers collaborate around the static analysis of mobile apps.
The Android Master Key flaw is a separate effort from Dexter, though Forristal noted that a tool like Dexter could be used to help review code.
"Dexter is about analyzing the apps and this particular bug is more about the core Android OS itself," Forristal said.
Forristal plans to detail the full story of how the Android master key flaw was discovered in a presentation at the Black Hat security conference later this month.
Are You At Risk?
While Google has made patched code available to Android vendors, it's not clear whether all vendors and their carrier partners have made the patched code available to end-users.
In order to determine if you are at risk, Forristal has built an app on the Google Play store to identify the patched code.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.