[guardian-dev] What to do about Android "master key" bug

Nathan of Guardian nathan at guardianproject.info
Fri Jul 5 08:04:50 EDT 2013


On 07/03/2013 07:54 PM, Harlo Holmes wrote:
> 
> http://threatpost.com/android-vulnerability-enables-malicious-updates-to-bypass-digital-signatures/
> 
> I hope to check this out in Vegas.  I'm not going to Black Hat, but DEFCON
> gets a lot of cross-over...

Yeah, this is kind of a big deal. Perhaps Derek/Lookout will have some
response.

Here is my idea, and it is perhaps a great way to promote GnuPG... we
could write our GPG APK signature verifier app, that scans your
installed APKs, and verifies signature files of APKs, when it has an
associated .sig/.asc.

Perhaps we can maintain a repo of APKs and associated APK sig download
locations? Could this be built into Weather Repo?

With F-Droid, we do use a signed repo, but not sure if that helps in
this context.

Ultimately, the threats here are two-fold:

1) A malicious app is installed outside of Google Play via email
attachment, unexpected web download, or faked "system update". It
installs over actual APK without any prompt.

2) Google Play forces an update to an app, with the update not coming
from a developer, but from a hostile adversary who has convinced Google
that you are a threat.

#2 is already possible with Google Apps themselves, so there isn't
really a change.

#1 can be blocked if you disable "unknown location" installs, but that
leaves you only with #1 as an option for app installs.

Anyhow, brought this discussion over to guardian-dev to see what people
think, and figure out if there is anything we can or should do to
response to this fairly fundamental Android bug.

+n


More information about the Guardian-dev mailing list