LAS VEGAS: The researcher behind the discovery of the infamous Android master key vulnerability gave his long-awaited technical presentation detailing the high-profile mobile vulnerability.
Bluebox chief technology officer Jeff Forristal said that the flaw was originally discovered while working on a mapping application. In order to project his mapping data onto the Maps application in Android, he resorted to a technique in which code was inserted into the APK code in the application.
Before long, Forristal realised the trick could have larger implications. “Then I stopped and said 'I'm pretty sure this is not something I am suppsed to be able to do',” he said.
After additional research, the vulnerability was disclosed to Google in February. In the weeks and months that followed, both Google and its OEM partners received and distributed a patch for the flaw.
While deployment varied by vendor, Forristal noted that Samsung was particularly diligent in fixing the flaw.
“They actually issued an update to fix this bug on an old Gingerbread Samsung device,” he said. “Props that they didn't just fix their new stuff, they went back to fix their old Gingerbread stuff.”
Less than a month before Forristal was set to present the flaw at Black Hat, he issued a teaser blog to publicly introduce the flaw. The post touched off a media firestorm and speculation that nearly every Android device was vulnerable.
Forristal said that on the one hand the hysteria generated by the report was exaggerated; counter claims said that the overwhelming majority of users had untrusted applications sources disabled and thus would be protected by Google Play. However, he also cited a company study, which found around 69 percent of users actually have the protection disabled.
“A lot of people were essentially saying that the number of users who were changing this setting was statistically near zero, they only go to Google Play,” he argued.
The Bluebox CTO noted that trusted sources such as Amazon's Appstore for Android and enterprise mobile app services require users to disable the untrusted sources protection.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago