Feeds

KitKat swats yet another Android 'MasterKey' bug

INVASION of the UNDEAD ANDROIDS averted. Again

Combat fraud and increase customer satisfaction

Android 4.4 contains a fix for yet another – albeit weaker variant – of the so-called MasterKey bug that first surfaced in July.

The vulnerability first shook the security world when mobile security startup Bluebox Security warned about a class of flaw that potentially affected 99 per cent of Android devices. The problem revolved around how Android handled the verification of the integrity of apps.

Security shortcomings meant that malicious parties could alter some of the contents bundled in an app without changing its cryptographic signature. Apps for Android come as .APKs (Android Packages), which are effectively just ZIP archives. Bluebox discovered it was possible to pack an installation file with files whose name is the same as those already in the archive. These renamed files could easily contain malicious code. It discovered the gaping security hole in February and notified Google but a fix didn't arrive until July.

The issue arose because Android checked the cryptographic hash of the first version of any repeated file in an APK archive, but the installer extracts and applies the last version, which might be anything and wouldn't be checked providing it had the same file name as an earlier (legitimate) component.

A similar bug, discovered by Chinese Android researchers, was also fixed in July. It was Java-based but had the same practical consequences - miscreants could upload Trojan-laden .APK files onto online marketplaces that carried the same digital signature as the legitimate app. Both the two earlier issues were resolved with Android 4.3 Jelly Bean, which was released in July.

Investigation of the recently released Android 4.4 source code by Jay Freeman, a mobile security developer best known for his work on iOS and Cydia*, has revealed that it contains a patch for a third flaw along the same lines. The third flaw is less easy to exploit than the two previous variants, but is still potentially problematic. It arises because it is possible to manipulate the filename length field in a ZIP file's metadata.

"The local header filename length is deliberately set so large that it points past both the filename and the original file data," explains veteran antivirus expert Paul Ducklin on the Sophos Naked Security blog. "This presents one file to the verifier, and a different file to the operating system loader."

Android maintainers have quashed the latest bug by altering the Java-based validation code "so that it follows a similar path through the data to that used by the loader," according to Ducklin, who describes this as an effective (if not holistic) fix.

Freeman has published a detailed analysis of the flaw, along with proof-of-concept code, here. The third flaw was found at around the same time as the others, but only patched this month.

All three flaws stem from the features of the Zip file format, designed in an earlier era of computing, which featured filename redundancy in case files had to be split across multiple floppy disks. These and other antiquated features are hard-wired into the Zip format, handing over security issues to Android Packages built on the foundations of the format as a result.

Sources have confirmed that all three bugs have been fixed in Android 4.4 and that Google's OEM hardware partners have been notified. It might still take some time for the roll out of the update by device manufacturers, if the progress through the Android eco-system of previous updates is any guide.

El Reg was able to confirm through Romanian software security firm Bitdefender that the latest MasterKey vulnerability has been fixed.

Bogdan Botezatu, senior e-threat analyst at Bitdefender, said: "The code committed into the linked GIT repository has changed in the 4.4 RC1 iteration and the attack vector described in the article has – to our knowledge - been mitigated.

"We also tried to reproduce the described exploit in the compiled AOSP builds that started showing up since Friday with no avail. However, we are looking into the unit to see if special scenarios could allow for similar exploits," he added.

BitDefender Botezatu's discovered two benign gaming apps featuring the original MasterKey Vulnerability in the official Google Play store two weeks after the problem first surfaced so his reassurance that there's no further hidden problems in Android along the same lines, at least for now, is welcome.

Bootnote

*Cydia is an application that lets fanbois search for and install software packages on jailbroken iOS Apple devices.

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.