Android Fixes Third ‘MasterKey’ Bug

Tuesday, November 12, 2013 @ 10:11 AM gHale

Android 4.4 contains a fix for another variation of the MasterKey bug that first surfaced in July.

The vulnerability first hit the industry when mobile security startup Bluebox Security warned about a class of flaw that potentially affected 99 percent of Android devices. The problem revolved around how Android handled the verification of the integrity of apps.

BlackBerry Patches Smartphones, Tablets
Users Don’t Secure Android Devices
Attack Threat Continues to Increase
Mobile Security Education Feeble

Security shortcomings meant that malicious parties could alter some of the contents bundled in an app without changing its cryptographic signature. Apps for Android come as .APKs (Android Packages), which are effectively just ZIP archives. Bluebox discovered it was possible to pack an installation file with files whose name is the same as those already in the archive. These renamed files could easily contain malicious code. It discovered the gaping security hole in February and notified Google but a fix didn’t arrive until July.

The issue arose because Android checked the cryptographic hash of the first version of any repeated file in an APK archive, but the installer extracts and applies the last version, which might be anything and wouldn’t be checked providing it had the same file name as an earlier (legitimate) component.

Analysis of the Android 4.4 source code by Jay Freeman, a mobile security developer, found it contains a patch for a third flaw along the same lines. The third flaw is less easy to exploit than the two previous variants, but is still potentially problematic. It arises because it is possible to manipulate the filename length field in a ZIP file’s metadata.

Researchers found the third flaw at around the same time as the others, but only patched this month.

All three flaws stem from the features of the Zip file format, designed in an earlier era of computing, which featured filename redundancy in case files had to be split across multiple floppy disks. These and other antiquated features end up hard-wired into the Zip format, handing over security issues to Android Packages built on the foundations of the format as a result.

Leave a Reply

You must be logged in to post a comment.