[guardian-dev] What to do about Android "master key" bug

Derek of Guardian derek at guardianproject.info
Wed Jul 17 02:08:04 EDT 2013


Jumping onto this thread way too late (sorry!). The fortunate thing about the 'master key' vuln is that it's *relatively* easy to scan for by looking for duplicate entries in an apk. Lookout just updated our app tonight to scan for this stuff and detect it. Huzzah!

Others on this list may have also seen recent reports of a 'second master key vuln' - a pretty good write-up is on Android Police here. I can also confirm that this is an exploitable issue, though it's somewhat more difficult to accomplish. Among other things, you need a 'target' app that has a classes.dex file that's smaller than 64k, which is fairly rare. It's proven significantly more difficult to guard against within a client app like Lookout, but we're in the middle of testing a fix for it currently. 

And lastly, I just had to respond to this one:
> I have to commend Bluebox on
> drumming up so much media publicity for their startup…

They certainly are pretty good at drumming up media publicity, but IMO it's pretty irresponsible to publish that much detail on such a vulnerability with essentially 100% of the userbase still vulnerable. Having a patch in AOSP and CM is one thing, but it sure would've been nice to see them wait for at least some fixed firmwares released. In the meantime… download Lookout? ;)

-Derek

On Jul 8, 2013, at 8:05 AM, Nathan of Guardian wrote:

> On 07/08/2013 10:20 AM, Daniel McCarney wrote:
> > It boils down to the way that Android handles duplicate entries in
> > the APK. It appears you can add two files of the same name and have
> > only one of them match the signature defined in CERT.SF.
> 
> If there are two of the same file, say classes.dex, or an .so, how
> does Dalvik choose which one to load? Or does it load them all?
> 
> I suppose the answer must be, it chooses the *wrong* one, at least
> part of the time, or at some point, enough to activate the attack.
> 
> +n

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130716/f8e37632/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130716/f8e37632/attachment-0001.pgp>


More information about the Guardian-dev mailing list