1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Android 'master key' discovery raises security risk

Discussion in 'Article Discussion' started by Gareth Halfacree, 4 Jul 2013.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,683
    Likes Received:
    1,967
  2. Snips

    Snips I can do dat, giz a job

    Joined:
    14 Sep 2010
    Posts:
    1,940
    Likes Received:
    66
    Since February? Wow, this is very bad.

    I think Google are keeping quiet whilst they work day and night to patch this, right?
     
  3. David

    David Take my advice — I’m not using it.

    Joined:
    7 Apr 2009
    Posts:
    13,343
    Likes Received:
    2,275
    You'd like to think so, wouldn't you?

    Even so, an awful lot of devices are likely to be left unpatched and vulnerable.

    Nice timing for Firefox OS though. :hehe:
     
  4. Jaybles

    Jaybles New Member

    Joined:
    12 Feb 2011
    Posts:
    981
    Likes Received:
    54
    And Jolla :)
     
  5. Nexxo

    Nexxo Queue Jumper

    Joined:
    23 Oct 2001
    Posts:
    33,622
    Likes Received:
    1,272
    Er...yes. Yes, of course they are. :worried:
     
  6. Dave Lister

    Dave Lister Member

    Joined:
    1 Sep 2009
    Posts:
    871
    Likes Received:
    10
    Following in microsofts footsteps, I wonder if custom roms still have this master key ! Incedently BT I've still never seen you cover the story of all versions of windows since win 95 second edition having back door keys built in for various government agencies to snoop around !
     
  7. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,683
    Likes Received:
    1,967
    Prove it, and an article shall appear. Alternatively, use the search function to bring up such classics as Windows 7 security courtesy of the NSA or Crypto 'backdoor' in Vista SP1. :p
     
  8. Dave Lister

    Dave Lister Member

    Joined:
    1 Sep 2009
    Posts:
    871
    Likes Received:
    10
    Damn I'll have to go hunting for the article now !
     
  9. Dave Lister

    Dave Lister Member

    Joined:
    1 Sep 2009
    Posts:
    871
    Likes Received:
    10
  10. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,873
    Likes Received:
    248
    Technically there is no such thing as "master key" to include in any ROM in this case. Publishers have their private key, and the installer in Android checks if the signature is valid using the public key. The issue is that there is a vulnerability in Android which allows you to modify the packages without the ownership of the publishers private key. That is why they call it "master key", but there is no such thing to "have" in the Android ROM.

    It is exactly meant as a master key in terminology of locks and lockpicking. You got your lock (APK package) and your key (private key), and others have their own locks and keys too, which can open only their own locks. But someone got the "master key", which can open all those locks. It doesn't mean it was made by the lock manufacturer, or that your keys are not good anymore - it is simply that someone can use a different means to access your locks; or in case of this vulnerability, to modify packages of publishers without the knowledge of their private signing key.
     
    Tyinsar likes this.
  11. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,683
    Likes Received:
    1,967
    It was. There has never been any evidence of a back door in Windows for government agents - which is why you've never seen a story on Bit-Tech saying that there's a back door in Windows for government agents. Even when Microsoft accidentally leaked the Windows source code, guess what? No back door.

    I'm not saying there isn't one in there - in fact, I reckon there probably is - just that there is absolutely no evidence, and without evidence there's no story to tell. Like I said, if you can find evidence - not random conspiracy theory blogs rehashing a pre-millennial rumour long debunked - then I'd be more than happy to write it up and see it run as a front-page exclusive.
     
  12. SAimNE

    SAimNE New Member

    Joined:
    23 Oct 2012
    Posts:
    122
    Likes Received:
    0
    it's not as bad as it sounds for the users.... worst case scenario install a custom OS that supplies a fix if google doesnt(there are going to be some). though for google this is going to be a decent blow to credibility if they dont fix this. not to mention they would probably loose quite a few customers to the overpriced mess iOS.
     
  13. Dave Lister

    Dave Lister Member

    Joined:
    1 Sep 2009
    Posts:
    871
    Likes Received:
    10
    I'm guessing this story has just recently popped up on the radar because of the proven spying that has happened recently. But the second link does say that the second key has been shown to blong to the NSA, and the article is dated June of this year.
     
  14. Dave Lister

    Dave Lister Member

    Joined:
    1 Sep 2009
    Posts:
    871
    Likes Received:
    10
    Consider me more educated on the matter now, cheers for the explanation faugusztin
     
  15. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,683
    Likes Received:
    1,967
    The story which appears on a right-wing conspiracy site run by a single individual, you mean. Yeah, the source for that claim? Joseph Farah, a conspiracy theorist who was vocal in claiming that Barack Obama was not a US citizen, and therefore could not serve as president. After the birth certificate proving Obama's heritage was released, he claimed that he wouldn't believe it without seeing the long-form version of the birth certificate - going so far as to promise $15,000 to the hospital if it released the certificate. When the long-form birth certificate was released, he reneged on his offer and claimed that the certificate was fraudulent.

    What I'm trying to say here is this: don't trust news you read from anti-government right-wing types (or, indeed, left-wing types - basically, any extremism is bad extremism) especially when the news paints the government in a bad light. Especially don't trust people like Farah, who is neither a security expert nor a cryptographer, to have any idea what he's talking about when it comes to cryptographic signing keys.
     
  16. Andy Mc

    Andy Mc Well-Known Member

    Joined:
    23 May 2002
    Posts:
    1,726
    Likes Received:
    129
    So. Is this how Prisim is logging our mobile meta data then?




    Brb, Just getting my tinfoil hat.
     
  17. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,873
    Likes Received:
    248
    Just to be more detailed - while this "security hole" increases risk, it does only for those who are already living a dangerous life in first place. The reason is that while technically you could inject your own dangrous code in application of another publisher, that is only a part of the publishing process. You would also need to distribute the app, and this is where you hit a wall - to put it on Play Store or Amazon Appstore, you would need to get the logon credentials of the publisher, to upload your modified version as a new version of the app from the publisher.

    Otherwise you would need to choose one of the less optimal distribution paths :
    - Play Store/Amazon Appstore, but app would have to published with a different publisher and different namespace, which pretty much defies the point of doing this in first place
    - manual distribution (warez sites etc) - this realistically the only place where this hole could work.

    In short - if you only use official application stores, you still don't have to fear about the security of your phone unless the publisher of the application got hacked.
     
  18. Dave Lister

    Dave Lister Member

    Joined:
    1 Sep 2009
    Posts:
    871
    Likes Received:
    10
    Fair enough. Nobody should be trusted really. Anyway it's good to know you guys are on the ball and know about the murkier side of things :)
     
  19. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,683
    Likes Received:
    1,967
    Quick update: CIO has word from third parties that Google's recent move to ban apps from self-updating outside Google Play was in response to this, and that Google Play itself has been updated to detect if files that are uploaded have been tampered with. It's also claimed that, while Google's stock Android install found on the Nexus family is still vulnerable, Samsung has apparently patched the Galaxy S4 to remove the flaw. No details yet on how, or how quickly other manufacturers will do the same for their own handsets.
     
  20. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,873
    Likes Received:
    248
    It's not really a "murkier side", there are simply steps to publish an app in play store and you can't just go and publish an "Angry Birds" application with "ROVIO MOBILE LTD." set as publisher without really being "ROVIO MOBILE LTD.", as you can't register 2 publishers with the same name and you need to be able to access the Google Play Developer Console of the publisher to publish an app in their name in the first place.

    Sure, in case when your user name and password is compromised and someone knows this "master key" trick, then yes, he could upload an updated version of an app without knowledge of the original signature - but in that case you have much bigger problem than a malicious app uploaded in your own name :).
     

Share This Page