Intrested in Android Security? Learn about the “Master Key” vulnerability!

Intrested in Android Security? Learn about the “Master Key” vulnerability!

Henry Dalziel | General Hacking Posts, Hacker Hotshots, Latest InfoSec News | September 25, 2013

Inside the Concise Courses bat cave, three of us have Droids and two have iPhones. The iPhone carriers are the arty ones, whilst the nerds have Droids!

If you are interested in mobile phone security with particular reference to the Android “Master Key” vulnerability then you must get yourself registered to watch an amazing Hacker Hotshot web show with Jeff Forristal titled: “Android: One Root To Own Them All.”

Jeff, will be our 109th Hacker Hotshot Expert Speaker, and by our reckoning, our 5th cell-phone/ mobile/ android related presenter, and we are delighted to welcome him to the show – particularly because of his experience and knowledge.

Quick look at the what the Android “Master Key” vulnerability is/ was:
This was a major discovery and discovered by Jeff and his team over at Bluebox Labs. In short, and Jeff will likely further expand on this, the Android vulnerability allows a hacker to maliciously modify the APK code without changing the application’s cryptographic signature. The end result is potentially malicious Trojans that go completely unnoticed within the app store, the phone, or the end user! The implications are enormous of course! This vulnerability, according to research by Jeff’s team, could affect any Android phone released over the last four years which represents over 900 million devices.

Android Malware is a serious problem and for a long time went relatively unnoticed. In fact, we recently spoke about this with Gary Warner from Malcovery when he presented: “Malware, Phishing: the Need for Intelligent Response”. One of the questions at the end stated that the Juniper Mobile Threat Center team released a report regarding Mobile Malware, which concluded that it had grown a staggering 600% between 2012 and 2013 – and that it had specifically targeted Android.

In this much anticipated Hacker Hotshot web show Jeff will discuss and provide us with:

  • A follow-up to the Android Master-Key vulnerability, and how things look three months later.
  • Statistics and things learned since the public release of the vulnerability information.

About Jeff Forristal
As CTO at Bluebox, Jeff is the global expert on the Android Master-Key Vulnerability and is a hugely respected information security professional. Jeff’s experience is broad and deep as a result of having been a security technology professional in the industry for over a decade. His professional background includes all things security, spanning across software, hardware, operations/IT, and physical access control. Jeff has written many features and cover-story articles for magazines such as Network Computing and Secure Enterprise and he’s a contributing author to various industry specific books.

Under the pseudonym “Rain Forest Puppy,” Jeff is a highly regarded industry expert in web application security and was responsible for the first documented security discovery of SQL injection! If that wasn’t enough he also authored the RFPolicy which is basically a protocol that suggests that researchers contact vendors about security vulnerabilities that they find in their products. The policy gives the vendor five working days to reply and react to the reporter of the bug, thereafter the researcher can disclose the vulnerability. (Side note – if you have an interest in the RFPolicy you ought to take a look at another web show we had with Marcia Hoffman when she worked for the EFF titled: “Legal Issues in Mobile Security Research” which covers a lot of similar ground as the RFPolicy).

In Summary
Android usage is growing at a rapid pace and understandably many people are interested in this major vulnerability. This is a superb event to attend if you want to learn more about the state of Android security, especially coming from such a qualified expert.

We must mention here that if you are interested in mobile security then you must take a look at the Drozer Andriod security testing tool – which was another excellent Hacker Hotshot talk we had last week with Daniel Bradberry.

Here are some other Andriod related talks we have either had, or that are upcoming.

Not much more to say but – register! Let us know your thoughts regarding Andriod Security. Will it get better? How do you see the future? We’d love to have your comments below.

Leave a comment or reply below...thanks!