Posted by: David Harley | July 18, 2013

Android verification bug mk II

If you’re feeling in a need of a moderately technical view of the Chinese variation on the Bluebox ‘Masterkey’ bug – see yesterday’s blog Another Android Masterkey – you could do a great deal worse than Paul Ducklin’s blog for Sophos: Anatomy of another Android hole – Chinese researchers claim new code verification bypass. Admittedly, I’ve never seen one of his blogs that wasn’t worth reading… Alternatively, journalist and author Neil Rubenking came up with a minor masterpiece in succinct commentary on the two issues.

They are both just riffing on the fact that the ZIP file format was never written to be secure. One uses two same-name files in the same APK. The other takes advantage of an unsigned offset stored as signed. Definitely NO breakage of the digital signature.

Meanwhile, John Leyden reports that there’s a free utility that apparently counteracts both issues. (Sorry, I don’t have an Android device, so there’s no likelihood of my trying to test it.) Finally, someone’s fixed THAT Android hole. Was it your mobe network? No

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: