Why you should not worry too much about the Android “Master Key” flaw

Before clicking the "Unknown sources" checkbox, think twice, and twice again.
Before clicking the “Unknown sources” checkbox, think twice, and twice again.

You have probably read the reports of how an Android “Master Key” flaw puts 99% of Android devices as risk. On the face of it, the issue sounds terribly worrisome. But is it?

Android applications contain a cryptographic signature. They are basically digital signatures which use public key algorithms to ensure data integrity. By verifying the key, a Google engineer or App Store or your Android device can verify that the application came from the Developer.  When an application is installed in an Android phone, a sandbox is created for it and Android records the application’s digital signature.

The Android Application Sandbox, isolates app data and code execution from other apps as a security measure. Basically, this limits what the application can access on your phone. The digital signature is used to make sure that all subsequent updates for the application match the stored digital signature so your Android phone knows that the update comes from the same source as the application you installed.

Bluebox Security discovered a vulnerability in Android which allows a hacker to modify an application installer, without breaking the application’s cryptographic signature. This would allow a hacker to modify code to convert a legitimate application into a malicious Trojan. Since the digital signature looks legit, a Google engineer, App Store and your Android device would not realize it does not come from the Developer but from a hacker.

Because the application’s cryptographic signature is not broken, Android will think that the application was not modified, and will allow the update to be installed. The Trojan, now installed could steal information or take over aspects of your device without you ever knowing it. Pretty scary stuff.

As is customary in the security industry, Bluebox Security, quietly informed Google of the flaw last February, and after four months made its discovery public.

So, will this flaw allow a trojan to be installed on your phone? If you install your apps from Google Play, getting a fake app installed on your phone would require that:

  1. The hacker would have to be able to publish the fake application on Google Play pretending to be the legitimate developer; or,
  2. The hacker would have to be able to push a fake application update to a user pretending that it comes from the developer.

Last April, Google tightened security on the Google Play store by forbidding Android app developers from issuing updates to apps available on Google Play outside of the store. So as of now, if an Android app is downloaded from the Google Play store, it will only be updated from the Play Store. So number two above is no longer applicable.

It looks like this move from Google may have been the result of the information conveyed to it by Bluebox Security.

So, at present, for this flaw to be able to affect your device, a hacker would have to fool Google Play into publishing an app which actually does not come from the developer. So basically, how safe you are depends on how secure Google keeps Google Play.

This highlights the safety of Apple’s Walled Garden. Apple’s iOS is the least secure among the four major operating system platforms according to SourceFire’s “25 Years of Vulnerabilities” study released in early March. That study found a total of 259 vulnerabilities in smartphone operating systems:

  • BlackBerry – 11
  • Windows Phone – 14
  • Android – 24
  • iOS – 210


Basically, iOS has five times more vulnerabilities than the three other major smartphone ecosystem combined. But while iOS itself is not the most secure operating system, it is kept safe by being cloistered behind a vetted walled garden.

The only way a hacker is going to be able to sneak a hacked app into your iPhone or iPad is through the well-vetted Apple App Store. I am not saying it cannot be done, but it would be very difficult.

With Android Phones, the situation is pretty much the same. Android by default will not allow you to install apps from third parties. But you can allow Android to install apps from third parties in the settings. If you get your apps from another Android App Store, then the level of your security would depend on how secure that store is. If you obtain apps from questionable sources, to avoid paying the Developer for the app, well, you may wind up paying for it in a different way.

So if you are the typical user and get your apps from Google Play, you really have little to worry about. Google Play has Bouncer, a scanner which scans apps submitted to Google Play for malware. If some serious piece of malware gets past Bouncer, Google has the ability to nuke the app and wipe the malware of Android devices wherever in the world they may be located.

The reality is neither Apple’s vetting or Google Bouncer is a 100% guarantee that nothing bad will ever get through. But mobile operating systems working behind a secured app market is as good as security can ever get. No operating system will ever be 100% secure.

Ultimately, the last line of security is you. Just do not go browsing the app store and downloading random junk.