If you’re feeling in a need of a moderately technical view of the Chinese variation on the Bluebox ‘Masterkey’ bug – see yesterday’s blog Another Android Masterkey – you could do a great deal worse than Paul Ducklin’s blog for Sophos: Anatomy of another Android hole – Chinese researchers claim new code verification bypass. Admittedly, I’ve never seen one of his blogs that wasn’t worth reading… Alternatively, journalist and author Neil Rubenking came up with a minor masterpiece in succinct commentary on the two issues.
They are both just riffing on the fact that the ZIP file format was never written to be secure. One uses two same-name files in the same APK. The other takes advantage of an unsigned offset stored as signed. Definitely NO breakage of the digital signature.
Meanwhile, John Leyden reports that there’s a free utility that apparently counteracts both issues. (Sorry, I don’t have an Android device, so there’s no likelihood of my trying to test it.) Finally, someone’s fixed THAT Android hole. Was it your mobe network? No
Small Blue-Green World
ESET Senior Research Fellow