Are you vulnerable to the Android master key flaw?
Last week Bluebox Security published details of an Android vulnerability that affects up to 99% of all Android devices. I wrote about it on Infosecurity Magazine here. It’s a code signing flaw that allows attackers to trick the device into accepting an update as an official update even when it isn’t. The fractured nature of the Android market makes it difficult to fix – different manufacturers use different versions of the operating system, and it is likely that some manufacturers won’t bother fixing it all.
The immediate workaround is to avoid side loading. It will be difficult for attackers to use the flaw for a mal-modified app via the Play store. But not – nothing ever is – impossible.
Now Bluebox has come to the rescue with a new free app. It doesn’t negate the flaw, but will help you know if you’ve been done. Firstly, it allows you to check to see if your device has been patched. But, “It will also scan devices to see if there are any malicious apps installed that take advantage of this vulnerability,” writes Jeff Forristal, Bluebox CTO, in a blog posting today.