[URL]http://www.bbc.co.uk/news/technology-23179522[/URL]
[QUOTE][B]A "master key" that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.[/B]
The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.
The loophole has been present in every version of the Android operating system released since 2009.
Google said it currently had no comment to make on BlueBox's discovery.
[URL="http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/"]
Writing on the BlueBox blog[/URL], Jeff Forristal, said the implications of the discovery were "huge".
The bug emerges because of the way Android handles cryptographic verification of the programs installed on the phone.
[/QUOTE]
So does this mean it exists in custom ROMs like CyanogenMod also?
And the most depressing part is that even if Google releases a fix yesterday, most phones won't get it.
[QUOTE=AlphaAGENT;41316222]So does this mean it exists in custom ROMs like CyanogenMod also?[/QUOTE]
Would have thought so since this is related to apk's.
[QUOTE=leontodd;41316276]Would have thought so since this is related to apk's.[/QUOTE]
Well, shit.
Hopefully it gets patched soon then.
And I just got an android phone... Jeepers..
[QUOTE=Ezhik;41316249]And the most depressing part is that even if Google releases a fix yesterday, most phones won't get it.[/QUOTE]
I don't understand how Google gets always with this, both iOS and Windows Phone don't have these critical issues that under no circumstances should exist. I guess cause people keep buying Android phones so no incentive to fix
If I'm understanding this correctly, what this means is that someone with malicious intent would need to have access to a legitimate application, change the code in that application to do whatever they want it to, and then have a way for loads of people to download the modified app. Unless there is a big security flaw that allows someone to redirect users of the Google Play Store to malicious links, this is mainly going to affect people who download apps from places that aren't the Google Play Store.
[QUOTE=kidwithsword;41316683]If I'm understanding this correctly, what this means is that someone with malicious intent would need to have access to a legitimate application, change the code in that application to do whatever they want it to, and then have a way for loads of people to download the modified app. Unless there is a big security flaw that allows someone to redirect users of the Google Play Store to malicious links, this is mainly going to affect people who download apps from places that aren't the Google Play Store.[/QUOTE]
oh and the legitimate application would have to be a manufacturer app with root access (more or less)
[QUOTE=The Baconator;41316463]I don't understand how Google gets always with this, both iOS and Windows Phone don't have these critical issues that under no circumstances should exist. I guess cause people keep buying Android phones so no incentive to fix[/QUOTE]
well i'm sure those operating systems have some issues as well, we just dont know about them seeing as how their source codes aren't public
[QUOTE=The Baconator;41316463]I don't understand how Google gets always with this, both iOS and Windows Phone don't have these critical issues that under no circumstances should exist. I guess cause people keep buying Android phones so no incentive to fix[/QUOTE]
iOS has a rich history of critical security flaws.
The important factors are the risks the average user is exposed to, and how quickly the issues are fixed. If kidwithsword is correct, this isn't a huge blow to the Android community.
[QUOTE=ChristopherB;41318344]iOS has a rich history of critical security flaws.
[/QUOTE]
Not really. The reason the wait time for jailbreaks keeps increasing is because of how hard it is to find exploits that aren't just useless tricks like when the photo album was accessible through an exploit when the lockscreen camera was added even if the user had a passcode. Apple's biggest flaw seems to be their incompetence with making a lockscreen emergency dialer, it's had a few exploits over the years.
[QUOTE=Ezhik;41316249]And the most depressing part is that even if Google releases a fix yesterday, most phones won't get it.[/QUOTE]
Google Play Services can be updated regardless of OS version so if you're one of the 99% of Android users who only install apps from the Play Store you already have the fix (assuming someone could even get a malicious update on the Play Store in the first place)
My starTAC is amused.
Tl;Dr of the article:
A malicious app could potentially "hijack" another app's permissions by changing its signature.
However, this has almost no real implications.
For one: it would take a lot less effort to simply ask for these permissions in its own manifest. The majority of users wouldn't know the difference.
The app has to be somewhere where people can actually download it. For almost all Android users, this means either Google Play or the Amazon app store. Both scrutinize their apps very well and I'd be extremely impressed if anyone managed to get a malicious app like this on there.
Therefore, the only people at serious risk here are those whom pirate apps. Very [I]very[/I] few apps are not available on the play or amazon store, or the reputable developer's website. I'm sure Google will patch it soon enough as well.
Sorry, you need to Log In to post a reply to this thread.