'Master Key' Security Hole Affects 99 Percent of Android Phones

Article Placeholder Image
By William Peacock, Esq. on July 05, 2013 10:03 AM

Rule No. 1 for smartphones: Only install applications from trusted sources (such as Apple's App Store, Google Play, or Amazon's App Store).

Bluebox Security has just released some thankfully vague details on what might be the biggest security flaw in smartphones to date -- a coding bug that could allow a hacker to change the code in an app without being detected by the system, allowing that hacker to take control of the phone, its functions (such as calls and data), and its data (emails, passwords, etc.).

The trick is to change the code inside the app's installation package without modifying its "crypographic signature." How one goes about doing this isn't clear, nor are their any reports of this trick being used so far. Bluebox notified Google about the flaw back in February, and since then, their Google Play app store has been patched to prevent the dissemination of hacked apps. The Galaxy S4 has also been patched, reports TechCrunch. The security company plans to release more extensive details at an upcoming hacking conference.

So if Google and Samsung have already began plugging up the holes, what's the big deal?

This flaw has been around since Android version 1.6. The most current version is 4.2.2. Ninety-nine percent of Android devices contain an affected version of the operating system.

From the information provided by Bluebox, it seems that a hacked version of a basic app, like a game, may not be that big of a deal, as it would likely only give the hacker access to data from that game itself.

However, if a hacker were to crack the code of a manufacturer's app, such as bundled software from Samsung, LG, HTC, or Motorola, that could be significantly worse, as those apps tend to have deeper permissions in the phone's system. Such a hack would allow access to nearly everything on the phone, from stored passwords to the data connection. Malicious use of the data connection, of course, could result in a higher phone bill.

The biggest problem, however, will be fixing the "Master Key" security flaw. Google itself cannot release a single update for all phones, though it can (and almost certainly will) for all Nexus-branded devices, as these are Google's own "pure" developer devices. Instead, each manufacturer will have to develop a patch for each device. If you've ever owned an Android device, you'll know how slow companies are to release updates (if they don't abandon the device first), which is why many phones are still running variants of Android 2.0 instead of the latest 4.22.

For users, the best bet is to watch your data usage for signs of a higher-than-normal use. Also, stick to Google Play apps and never install an app from untrustworthy sources.

Related Resources: