In early July 2013 I asked our CTO, Chris Atienza, about the Android Master Key “flaw”. I am late getting this posted but it could surface.
This is a ‘serious’ flaw, but nothing I think the honest and informed user needs to worry about.
Basically each APK is digitally signed ‘guaranteeing’ that the code and any updates came from the same, ostensibly authentic, developer/distributor. This flaw apparently leverages a hole so that content of the apk can be modified without the signature changing, thus allowing code the author did not intend to be run.
One thing that this does NOT allow, contrary to many ignorant reports, is for an app to gain extra privileges. Ie: If I place code to access contacts and the internet into a package that did not already have access to such, the app would then fail with a security exception. What an attacker could possibly do (although, it is not clear if the hole would allow this), is modify the manifest as well so that the app does request such privileges. As far as I’m concerned, if a user allows a game to access its contacts, info and internet, legitimate or otherwise, they get what they deserve.
The questions are
1) where do users get their apps? Google Play, Amazon, Joe’s Hacked Apps for Free, or some other site? If from legitimate sites, then the risk is no different than when I install any app that asks for more privileges than it needs. People may not read them, but if I sell full-proof locks, I am not responsible for people who leave them unlocked or digitally pass out copies of their keys (ie: allow random apps unlock access), or leave their window wide open. If from less than legal sites, than once again, it’s their tough luck.
2) If users download an app from a ‘trusted source’ and ‘trusted vendor’ : ie: Google Play Store and Rovio (although, why anybody would trust those data-mining experts is beyond me), there is a risk that you are actually giving the wrong person access to resources… but again, did you read the permissions being requested? Why does Irritable Avians need access to GPS, Contacts, the big Red Launch Button, and wide-open Interwebs?
Even when guaranteed legitimate – the user must take responsibility for anything they allow an app to do. Android gets a bad rap because few people read, let alone understand the permissions. All they care about is getting a game for free or cheap. I will say at least with Android, for those that do care, you know what an app has access to do and can decide whether or not to continue an install, or to search for a less obtrusive alternative. With iOS, you place all your trust in Apple. Does the IPA access the internet? The user doesn’t know unless the description says so. All they know is that Apple said it was OK. I think it is interesting how with Apple, an app will notify the user and provide a choice of whether or not the app will accept push notifications, but it will not do the same thing with general access to location and internet. I can only surmise that this is because, push notifications cost Apple infrastructure bandwidth and money to support – better to discourage their use.
Anyway, the flaw is none-the-less major. As a developer, I’d like to think that only my code could update my code. If my app legitimately requires Internet to function and it is compromised, I’d be pissed. But then, as a developer, it behooves me to secure my vendor account and demand that Google or Amazon does the same thing. With that, I know when people buy from me, they are getting my app, my code. If a user gets my code via other means, that’s out of my control and not my concern. They take the risk when then decide to rob the developer of money, or an official download count.
Also, it seems there have been no exploits of this flaw detected so far (the whistle blowers state repeatedly that this is a theoretical risk), and Google has taken measures to thwart it on Google Play. I can only assume Amazon will follow suite.