[guardian-dev] What to do about Android "master key" bug

Daniel McCarney daniel at binaryparadox.net
Fri Jul 5 12:06:40 EDT 2013


Thoughts inline:

On 07/05, Nathan of Guardian wrote:
> On 07/03/2013 07:54 PM, Harlo Holmes wrote:
> > 
> > http://threatpost.com/android-vulnerability-enables-malicious-updates-to-bypass-digital-signatures/
> > 
> > I hope to check this out in Vegas.  I'm not going to Black Hat, but DEFCON
> > gets a lot of cross-over...

I'll be at DEFCON too if any Guardian folks want to meet up for hackity
hacks.

> Yeah, this is kind of a big deal. Perhaps Derek/Lookout will have some
> response.

I think it's too early to say how big of a deal it is. It has the potential to
be a serious flaw but there are too few details to really reason about the
impact at this point (In my opinion at least). I have to commend Bluebox on
drumming up so much media publicity for their startup...

I've heard some speculation that they are bypassing the signature verification
somehow to fool the package manager service into installing a non-system-signed
binary to the system partition. Whether that's true or not it does sound like it
relies on getting a user to install a malicious app (or a non malicious app that
has been made malicious).

> Here is my idea, and it is perhaps a great way to promote GnuPG... we
> could write our GPG APK signature verifier app, that scans your
> installed APKs, and verifies signature files of APKs, when it has an
> associated .sig/.asc.

There might be ways to leverage GPG to do some verification, but this particular 
suggestion won't help much to remediate this vulnerability (if speculation holds).

Without root or a modified OS I'm not certain you can do anything to check the 
app's GPG signature pre-installation. If the app roots the device before you check
the GPG signature the damage is already done and the app could replace the
malicious APK with an unmodified copy or perhaps just disable the GPG check
entirely.

If we believe the vuln. allows the adversary to replace any installed app
without signing their update with the same private key then they are likely
able to do that with system signed applications. That's a more powerful attack
than directly replacing a Guardian App with a nasty update.

Open to brainstorming!

- Dan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130705/7d4e6c81/attachment.pgp>


More information about the Guardian-dev mailing list