Discussion in 'Article Discussion' started by Gareth Halfacree, 4 Jul 2013.
Ne'er-do-wells just got a new tool.
Since February? Wow, this is very bad.
I think Google are keeping quiet whilst they work day and night to patch this, right?
You'd like to think so, wouldn't you?
Even so, an awful lot of devices are likely to be left unpatched and vulnerable.
Nice timing for Firefox OS though.
Er...yes. Yes, of course they are.
Following in microsofts footsteps, I wonder if custom roms still have this master key ! Incedently BT I've still never seen you cover the story of all versions of windows since win 95 second edition having back door keys built in for various government agencies to snoop around !
Prove it, and an article shall appear. Alternatively, use the search function to bring up such classics as Windows 7 security courtesy of the NSA or Crypto 'backdoor' in Vista SP1.
Damn I'll have to go hunting for the article now !
Admittedly some sites are saying this was debunked years ago, but MS have never dismissed the claims apparently.
Technically there is no such thing as "master key" to include in any ROM in this case. Publishers have their private key, and the installer in Android checks if the signature is valid using the public key. The issue is that there is a vulnerability in Android which allows you to modify the packages without the ownership of the publishers private key. That is why they call it "master key", but there is no such thing to "have" in the Android ROM.
It is exactly meant as a master key in terminology of locks and lockpicking. You got your lock (APK package) and your key (private key), and others have their own locks and keys too, which can open only their own locks. But someone got the "master key", which can open all those locks. It doesn't mean it was made by the lock manufacturer, or that your keys are not good anymore - it is simply that someone can use a different means to access your locks; or in case of this vulnerability, to modify packages of publishers without the knowledge of their private signing key.
It was. There has never been any evidence of a back door in Windows for government agents - which is why you've never seen a story on Bit-Tech saying that there's a back door in Windows for government agents. Even when Microsoft accidentally leaked the Windows source code, guess what? No back door.
I'm not saying there isn't one in there - in fact, I reckon there probably is - just that there is absolutely no evidence, and without evidence there's no story to tell. Like I said, if you can find evidence - not random conspiracy theory blogs rehashing a pre-millennial rumour long debunked - then I'd be more than happy to write it up and see it run as a front-page exclusive.
it's not as bad as it sounds for the users.... worst case scenario install a custom OS that supplies a fix if google doesnt(there are going to be some). though for google this is going to be a decent blow to credibility if they dont fix this. not to mention they would probably loose quite a few customers to the overpriced mess iOS.
I'm guessing this story has just recently popped up on the radar because of the proven spying that has happened recently. But the second link does say that the second key has been shown to blong to the NSA, and the article is dated June of this year.
Consider me more educated on the matter now, cheers for the explanation faugusztin
The story which appears on a right-wing conspiracy site run by a single individual, you mean. Yeah, the source for that claim? Joseph Farah, a conspiracy theorist who was vocal in claiming that Barack Obama was not a US citizen, and therefore could not serve as president. After the birth certificate proving Obama's heritage was released, he claimed that he wouldn't believe it without seeing the long-form version of the birth certificate - going so far as to promise $15,000 to the hospital if it released the certificate. When the long-form birth certificate was released, he reneged on his offer and claimed that the certificate was fraudulent.
What I'm trying to say here is this: don't trust news you read from anti-government right-wing types (or, indeed, left-wing types - basically, any extremism is bad extremism) especially when the news paints the government in a bad light. Especially don't trust people like Farah, who is neither a security expert nor a cryptographer, to have any idea what he's talking about when it comes to cryptographic signing keys.
So. Is this how Prisim is logging our mobile meta data then?
Brb, Just getting my tinfoil hat.
Just to be more detailed - while this "security hole" increases risk, it does only for those who are already living a dangerous life in first place. The reason is that while technically you could inject your own dangrous code in application of another publisher, that is only a part of the publishing process. You would also need to distribute the app, and this is where you hit a wall - to put it on Play Store or Amazon Appstore, you would need to get the logon credentials of the publisher, to upload your modified version as a new version of the app from the publisher.
Otherwise you would need to choose one of the less optimal distribution paths :
- Play Store/Amazon Appstore, but app would have to published with a different publisher and different namespace, which pretty much defies the point of doing this in first place
- manual distribution (warez sites etc) - this realistically the only place where this hole could work.
In short - if you only use official application stores, you still don't have to fear about the security of your phone unless the publisher of the application got hacked.
Fair enough. Nobody should be trusted really. Anyway it's good to know you guys are on the ball and know about the murkier side of things
Quick update: CIO has word from third parties that Google's recent move to ban apps from self-updating outside Google Play was in response to this, and that Google Play itself has been updated to detect if files that are uploaded have been tampered with. It's also claimed that, while Google's stock Android install found on the Nexus family is still vulnerable, Samsung has apparently patched the Galaxy S4 to remove the flaw. No details yet on how, or how quickly other manufacturers will do the same for their own handsets.
It's not really a "murkier side", there are simply steps to publish an app in play store and you can't just go and publish an "Angry Birds" application with "ROVIO MOBILE LTD." set as publisher without really being "ROVIO MOBILE LTD.", as you can't register 2 publishers with the same name and you need to be able to access the Google Play Developer Console of the publisher to publish an app in their name in the first place.
Sure, in case when your user name and password is compromised and someone knows this "master key" trick, then yes, he could upload an updated version of an app without knowledge of the original signature - but in that case you have much bigger problem than a malicious app uploaded in your own name .
Separate names with a comma.