LAS VEGAS: Jeff Forristal, aka Rain Forest Puppy, made headlines around the globe earlier this month when he revealed a new Android master key vulnerability that could potentially put all Android devices at risk of exploitation.
Today at the Black Hat Security conference, Forristal delivered a talk that detailed precisely what the Android master key vulnerability is all about. As Forristal explained, Google’s Android had multiple vulnerabilities in how the operating system verifies JAR/ZIP/APK files, which run on Android devices.
Calling it a master key flaw is a bit of a misnomer as it’s not a single key, Forristal said. Rather it’s a family of bugs that allow an attack to bypass signature verification. There are at least four currently known variants of the master key flaw.
Forristal found the flaw by accident during a project in which he and his team worked on getting Android’s Google Maps program to report an incorrect location. This challenge eventually led him down the road to the discovery of the master key flaw.
Is Android Flaw Google’s Fault?
At the root cause of the issue is the fact that there are some Zip Parser discrepancies in Android. As it turns out, Android has eight separate file parsers that don’t all reuse the same code. “Android is a multi-component system so it’s understandable how it got there,” Forristal said.
Google has already made the fix to address Android’s master key issues, though the fix hasn’t yet filtered down to all end users. For example, Google’s own Nexus phones have not yet received an over-the-air (OTA) update, though code fixes are available.
As experts often point out, Android updates have to pass through both device manufacturers and service providers before getting to end users. The process tends to be a slow one because of the multiple versions of Android in use.
Forristal sees the master key issue as being a positive for Android security. The increased visibility resulting from revealing the flaw has lots of people asking questions about the popular operating system and updating their devices.
“The attention from this flaw has gotten people to ask the right questions about mobile security and that’s good,” Forristal said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.