LAS VEGAS: The researcher behind the discovery of the infamous Android master key vulnerability gave his long-awaited technical presentation detailing the high-profile mobile vulnerability.
Bluebox chief technology officer Jeff Forristal said that the flaw was originally discovered while working on a mapping application. In order to project his mapping data onto the Maps application in Android, he resorted to a technique in which code was inserted into the APK code in the application.
Before long, Forristal realised the trick could have larger implications. “Then I stopped and said 'I'm pretty sure this is not something I am suppsed to be able to do',” he said.
After additional research, the vulnerability was disclosed to Google in February. In the weeks and months that followed, both Google and its OEM partners received and distributed a patch for the flaw.
While deployment varied by vendor, Forristal noted that Samsung was particularly diligent in fixing the flaw.
“They actually issued an update to fix this bug on an old Gingerbread Samsung device,” he said. “Props that they didn't just fix their new stuff, they went back to fix their old Gingerbread stuff.”
Less than a month before Forristal was set to present the flaw at Black Hat, he issued a teaser blog to publicly introduce the flaw. The post touched off a media firestorm and speculation that nearly every Android device was vulnerable.
Forristal said that on the one hand the hysteria generated by the report was exaggerated; counter claims said that the overwhelming majority of users had untrusted applications sources disabled and thus would be protected by Google Play. However, he also cited a company study, which found around 69 percent of users actually have the protection disabled.
“A lot of people were essentially saying that the number of users who were changing this setting was statistically near zero, they only go to Google Play,” he argued.
The Bluebox CTO noted that trusted sources such as Amazon's Appstore for Android and enterprise mobile app services require users to disable the untrusted sources protection.
The best Black Friday tech bargains out there
Russell Group slammed for misusing student data in donation campaigns
Linus Torvalds is unhappy with current approaches to Linux security
Bug prevents ASLR from randomising location of important data