
Uncovering Android Master Key That Makes 99% of Devices Vulnerable - whiskers
http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key
======
ctz
This tantilising and makes me want to work out what the problem is pre-
Blackhat. Looking at JAR signing in general (which is what Android packages
are) I see a few possible flaws:

* The zip format doesn't structurally guarantee uniqueness of names in file entries. If the APK signature verification chooses the first matching file entry for a given name, and unpacking chooses the last then you're screwed in the way described.

* The JAR signing scheme signs a file containing hashes of file name/data hash pairs. However, there seems no part of the verification steps (in the JAR specification) where _extra_ files not mentioned in the signed data cause signature rejection. This seems like a bad idea.

From the description, though, it sounds like a key management problem. Anyway,
this talk is definitely on my Blackhat schedule!

~~~
dsl
You should really dig into this more, regardless of Bluebox's work.

I was approached about buying two different Android 0days related to APK
signing about 3 months ago, so definitely some issues to be found. The seller
wanted unrealistic terms, so I never got full details.

------
kyrra
Maybe I'm missing something, but I don't see this security bug could be used
against a majority of people. Can someone explain to me how this exploit could
be used against people?

To me, it seems like someone would have to side-load an application. Anything
coming from the Play store should be safe?

~~~
donutdan4114
Sit on an open wi-fi network that you're connected to and intercept Play Store
traffic and spoof an app update, like Gmail, inject my malicious app download
URL which might look exactly like the Gmail app, except my malicious version
of Gmail also sends your emails to me.

Then I go to paypal, forgot password, get email, gain account access, ruin
your life.

Not sure how plausible any of this is, I'd have to be a really dedicated
hacker to set all that up. _But it 's all possible._

 _Also, never ever ever EVER connect to open wi-fi._

~~~
corresation
Your scenario doesn't work at all given that such traffic is encrypted -- you
can't simply inject into it. If someone breaks that, we have much bigger
problems.

However, to your ending comment, some time back I asked whether passwords
actually gave you security from other people who know the same password (e.g.
a coffee shop that has a big sign telling you the WPA password). While I have
zero knowledge to confirm or deny this, someone in the know claimed that no,
given that the wifi password is used for the initial key exchange, it offers
superficial interception/monitoring protection against someone malicious who
knows the same password. Take that with a grain of salt, but I never could
find other resources on that.

~~~
kalleboo
I just checked - the Play store downloads aren't encrypted (client hits a HTTP
URL that 301 redirects to another HTTP url) and all of these were fully
visible in a HTTP proxy. There may be some additional hash-checking going on
though, I can't say for sure (the actual listings of apps and their details
are indeed encrypted). Hopefully they're not relying 100% on the APK signature
check for downloads.

~~~
ge0rg
There is additional hash checking indeed. Google Play will fail to install an
APK you MitM to the app.

Edit: the hash checking is done _in addition to_ the APK signature
verification, i.e. you can not replace the APK with a different APK signed
with the same developer key.

------
mdaniel
Is it my imagination or is 5 months a very short disclosure window for a
vulnerability that affects Androids since Donut?

I think about how manufacturers drag their feet on normal updates and can't
imagine what heaven and earth movement would be required to patch this
industry wide.

Then again, maybe the attack surface for this is small enough that it's
manageable.

~~~
nwilliams
I think Google itself sets a higher bar than even 5 or 3 months for other
companies and itself.

[http://www.darkreading.com/vulnerability/google-sets-new-
agg...](http://www.darkreading.com/vulnerability/google-sets-new-
aggressive-7-day-deadlin/240155757)

~~~
CGamesPlay
Those are for bugs that are "under attack", where it's important that those
being attacked have the information necessary. There's no evidence that this
is being exploited in the wild (at this point).

~~~
gtirloni
"Under attack" allows people to distort reality as much as they want for their
own benefit. Google sure looked like a tough cookie by disclosing bugs in 7
days and now it gets a pass.

------
tenpoundhammer
If I'm reading this correctly, this hack would potentially allow a standard
app developer to create an app that has elevated permissions and thereby be
able to access and transmit any data on the phone.

The story also says that this hack could be used to send text messages and
other communications. In the wrong hands this could be a devastating financial
and social exploit.

~~~
peter487
It gives you the ability to modify the app without changing its cryptographic
signature. If such problem would exist in standard PC world, it would
essentially give you the ability to modify the binary without changing its
hash.

This is a major blow to essential system of Android security system, the core
functionality is broken the consequences can be massive not to mention it will
never be fixed on old devices.

~~~
atesti
I don't get why this is a problem.

In the PC world, authenticode on executables does not really offer that much
security: Any malware can be signed and you normally don't verify the
signature of applications.

And with Android: Just because APKs could be forged, what exactly is the
attack vector? If sideloading is not enabled, and the play store uses HTTPS,
how would such an forged APK with an stolen signature get placed on your
device? Could other apps modify the APK of another app? Doesn't each app have
it's own Linux userid and aren't there access restrictions? How would some
random game go and write into the APK of an app with high privileges in order
to inject code? If that were possible, there would already be DOS like
attacks: One game destroying the APK of a competing game, etc.

I'd really like to know the attack vector!

~~~
archivator
The thing that makes this dangerous is the "system" certificate for core apps.
If you hijack traffic to any update to such an app (and OEMs have a ton of
such apps), you you can inject code before it's installed under "system" abs
that's that.

No, you can't actually go poking into other apps' apks but how many people
would press "update" if they see the package manager's "Installing Gallery
update, no permissions required" dialog?

------
jquery
Yesterday I swapped my Android for an iPhone due to security concerns. No
regrets.

~~~
gtirloni
yet.

------
marcelocamanho
This is really one of those news that just seems to be bought by Android's
competitors.

The user has to install a pirated APK. Also Play store is SSL secured. Just
use common sense.

~~~
laurent123456
Not everybody can download from the Play Store because of ridiculous device
and country restrictions. If you are from the US or Europe, you're mostly fine
but from other countries you often have to download the APKs from non-official
websites and I guess that's where there could be a problem.

~~~
Funnnny
Why? I installed most of my apps from Play Store, if some apps have country
restriction, it's because they have a good reason to do so (range of service
or support)

~~~
laurent123456
Where I live, many apps are not available and it's not clear at all why.
Usually I just end up searching for the apk, install it and it works just
fine.

------
atesti
I don't get why root access is so much worse than any other problem:

1\. Apps like Skype already allow themselves access to so much sensitive and
private information and things like the Motorola spyware uncovered recently
([https://news.ycombinator.com/item?id=5973282](https://news.ycombinator.com/item?id=5973282)
) are so bad that I find the extra evilness possible with root access not so
significant. What amount of additional harm would it really be? Intercepting
network traffic? Better hidden rootkit that even hides from the few users who
have jailbroken their phone?

2\. The Linux kernel regularly has security bugs and we know that Android
phone manufactures don't update devices timely or at all. Wouldn't every
Android phone not have at least one exploit for the kernel itself at any given
point in time? Where are the apps that just use this to gain root access? Or
has Google hardened the kernel well enough that there are no known exploits by
which an APK with native code doing syscalls can increase it's privileges?

~~~
throwaway2048
just because one thing is a problem, dosent mean other things are not a
problem.

------
3JPLW
Bluebox seems to be having some sporadic database connection problems. Here's
the Coral Cache mirror: [http://bluebox.com.nyud.net/corporate-blog/bluebox-
uncovers-...](http://bluebox.com.nyud.net/corporate-blog/bluebox-uncovers-
android-master-key/)

------
dschiptsov
So, it seems, that there is some "special, less strict" way to install
packages for "trusted vendors", because it is much less probable to find a
major flaw in a standard jarsigner + zipalign procedure. If so, it is just
another idiotic "management decision".

------
brettyGood
Looking on the bright side, this offers a wonderful new opportunity to root
your phone without rooting your phone.

And at what point do we stop calling these sorts of problems "vulnerabilities"
and start calling them surrepitious "back doors"?

~~~
Oletros
There is no rooting involved

~~~
brettyGood
Yes, precisely my point. Hence the phrase "rooting without rooting".

If it's possible use this vulnerability to arbitrarily rewrite the contents of
any or all of the APKs loaded onto a given phone, then this flaw allows for
the ability to engage in a key behavior that makes rooting Android popular:
Disabling all of the unwanted bloatware that device manufacturers usually
prevent you from deleting.

~~~
Oletros
This exploit won't disable anything, you still will have any of those apps
installed and shown

------
zmmmmm
There are some weird sentences in this that make it very confusing:

"Installation of a Trojan application from the device manufacturer"

Ok, so the manufacturer of the device is shipping a trojan on my device. Isn't
there a bigger problem in this situation?

~~~
mikeash
I think he means an application which is "signed" by the manufacturer but
actually comes from a malicious third party.

~~~
BHSPitMonkey
But how did it get there? I'm pretty sure the device would have to be rooted,
_and_ the user would need to have run some code written by the attacker and
allowed it run with superuser privileges (or haphazardly followed some
malicious tutorial online, e.g. "follow these steps to install new themes!" or
"use this tool to unlock your phone!").

~~~
antocv
You install an app from the Play store that is very normal, it only requests
Internet permissions.

Then after a week or so, it wakes up and downloads its payload which with it
can modify itself, transforming itself to seemingly be the Gmail app you are
so often using, while moving the real gmail away. Then you continue using and
updating "gmail" like you normally would, except you know, its now using a
proxy and no ssl.

~~~
BHSPitMonkey
I'm not sure it could covertly replace Gmail as you describe without being
granted super user rights.

------
emmelaich
A device manufacturer can already do whatever they want.

------
dallagi
Are Android apks converted to BlackBerry10 bars still vulnerable?

