Tags: android | master key | security | flaw

Android 'Master Key' Security Flaw Affects 900M Google Devices

By Clyde Hughes   |   Friday, 05 Jul 2013 08:39 AM

Tech experts warned Android users of a security flaw this week: Hackers could modify an Android code into a "master key" that could turn 99 percent of the devices dormant and make them vulnerable to data theft.

Jeff Forristal, of Bluebox Security, wrote on his corporate blog that the security flaw could affect any Android device that has been purchased in the last few years. 

Editor's Note: Do You Support Obamacare? Vote in Urgent National Poll

"The implications are huge," Forristal said on his blog. "This vulnerability, around at least since the release of Android 1.6 . . . could affect any Android phone released in the last 4 years – or nearly 900 million devices– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

The vulnerability stems from discrepancies on how Android apps are cryptographically verified, which would allow an attacker to modify application packages without breaking their cryptographic signatures, IDG News Service reported.

"This is important for the Android security model because it ensures that sensitive data stored by one application in its sandbox can only be accessed by new versions of that application that are signed with the original author's key," Lucian Constantin of IDG reported. "The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures."

There is some good news, however. Forristal confirmed that one third party device, the Samsung Galaxy S4, already has the fix, which indicates that some device manufacturers have already started releasing patches. Google has not released patches for its Nexus devices yet, but the company is working on it, he said.

Bluebox Security suggests that Android users exercise caution when downloading an app. Enterprises with BYOD implementations should use this news to prompt all users to update their devices and emphasize the importance of keeping apps up to date all the time.

On the corporate side, information technology specialists should move beyond device management and focus on deep device integrity checking to secure corporate data.

Editor's Note: Get the Navy SEALs Cap – Celebrate Our Heroes

Related stories:

Facebook, Samsung Partnership? Execs Mull Social Network-Friendly Phone

Apple Import Ban on Old iPhones Stokes Samsung Patent War

© 2015 Newsmax. All rights reserved.

1Like our page

Newsmax, Moneynews, Newsmax Health, and Independent. American. are registered trademarks of Newsmax Media, Inc. Newsmax TV, and Newsmax World are trademarks of Newsmax Media, Inc.

America's News Page
©  Newsmax Media, Inc.
All Rights Reserved