Android: One root to own them all: Android Master-Key Vulnerability

Jeff Forristal

Thu, 16th October 2014


Speaker Bio 1:
Jeff Forristal is a highly respected security professional with more than a decade of experience in the security industry. As well as having written multiple articles for Network Computing and Secure Enterprise magazines; he is also a contributing author to multiple books. Under the pseudonym "Rain Forest Puppy," Jeff has been recognized as an industry expert in web application security and was responsible for the first publicized responsible security disclosure policy (2000), the first publicized recognition of SQL injection (Phrack, 1998), and the first intelligent open source web application scanner (Whisker, 1999).

Learning Objectives:

Jeff will explain:

  • Follow-up to the Android Master-Key vulnerability: how things look 3 months later.
  • Statistics and things learned since the public release of the vulnerability information.

Resources and materials:


Questions and answers

Max, Concise Courses:
17:27 Compared to iOS does Android leak more data through Apps?

Jeff Forristal:
I usually get the ‘is iOS or Android more secure’ so that is one I can talk about pretty well – but ‘leaking more data’ is interesting. I have not actually attempted to measure application leakage and I suspect that that is going to be on a case-by-case basis on the application. That’s a fantastic question, and I am not sure. I don’t have any reference to really give you a solid answer on that one.


Max, Concise Courses:
18:10 What’s the future of vulnerabilities within Android. From a security perspective will things like ‘zip parsers discrepancies’ become history and will Android become impenetrable?

Jeff Forristal:
Well I certainly hope so! With any found security vulnerability we hope that the world takes notice, at least the relevant parties in the world, and use that as a historical record and not keep repeating the same call. But if history is evidence of how this all plays out [for example] ‘SQL Buffer Injection Overflows’ found decades ago, they still seem to be a problem. Are we learning from our mistakes? Are we improving or are we repeating our mistakes. Security is a tough challenge and a tough call in that way. I’d like to hope that with visibility to this class of problems – people will be more cognizant of it going forward. You have to get the knowledge of this problem into the hands of the person that is creating the code and that itself is a very large education campaign. On a worldwide scale it is difficult to say if that is going to be executed.


Max, Concise Courses:
19:30 You mentioned phishing and SMS abuse – are you seeing these attacks being targeted at particular verticals?

Jeff Forristal:
Certainly, phishing is a targeted attack overall. In terms of banking log ins, and speaking about Android specifically, and this is going to sound rather dismissive, but attackers are lazy and rightfully so. They don’t have to do too much effort to get money through a premium SMS Abuse style of attack. Effective well known patterns result in immediate financial gain for the attackers, they don’t need to try new stuff or be cleverer, they can just get free money by doing that [SMS Abuse]. We are seeing large scale abuses of some common ways to basically get quick turnarounds and financial wins. Until those patterns are thwarted through some of the upcoming Android Security changes the attackers will just stick with what they know and stick with what is working.

What is working for them right now is getting money through premium SMS Abuse Attacks.


Max, Concise Courses:
20:36 I guess you answered my question but how worried should I be – I’m a system and network admin and people on our network have rooted phones – what can I do?

Jeff Forristal:
I definitely get that question a lot: ‘what is the security risk of jail broken or rooted device?’, and this largely has to turn back to, ‘what are you trying to achieve?’ Are you trying to verify that the device is operationally correct and has the proper security model in place to hold your data? What are your requirements, what does the device need to do and the required security posture? If you are comfortable with anyone reading email on any device, rooted or otherwise, it may not make sense but if you have a more important security agenda, for example, a BYOD enterprise, or you want to confirm a device is reasonably adhering to the security models that are implied by the general iOS and Android architecture, then a rooted or jail broken device is basically a notification that the device may or may not actually adhere to this expected model.

The risk of rooted devices isn’t the fact that they are rooted – the risk of rooted devices is that there are functions that we want to act a certain way and through it being rooted we can no longer rely on those assumptions being true.