Android 'Master Key' Puts Smartphones At Risk

Dennis Faas's picture

It's estimated that up to 99 per cent of all Android smartphones are vulnerable to a new security vulnerability. The bug involves two of the main security measures used on phones running the popular Android operating system from Google.

The first security measure affected by the bug is the security check used on all applications that run on an Android phone. Every application has a cryptographic signature, which is a code that confirms the application is genuine.

The signature directly correlates to the contents of the application itself, meaning that any attempt to tamper with the contents would change the signature and alert the device that something was wrong.

The second measure is known as the 'permissions' system. On occasion, Android will prompt users to approve of an action before granting an app permission to follow through. This can involve an app dialing a phone number or accessing the device's camera.

"Master Key" Allows Undetected Tampering

But mobile security firm Bluebox says it has found a "master key" that lets it modify applications without altering the cryptographic signature, meaning significant changes would go undetected.

An altered app could therefore be set up to carry out malicious activities, such as passing on confidential data to the hackers. (Source:

Even more seriously, Bluebox says it has been able to carry out undetected modifications on applications created by the phone's manufacturer. Such applications are commonly set-up to have all permissions active because the system inherently needs to trust the manufacturer.

That means a hacker infiltrating such an app would have almost complete control of an Android phone.

There are limitations, however: hackers would have to find a way to access a phone to modify an app or, more likely, to trick users into downloading and installing a modified version.

Security Patching Could Be Slow Process

Bluebox -- which insists it told Google about the problem five months ago -- says each individual phone manufacturer (working with the smartphone service provider) will need to issue its own security update to fix the problem. (Source:

In the meantime, Bluebox suggests users take care when downloading and installing apps. This means checking carefully to make sure they really do come from the advertised publisher.

It may also be worth sticking to the official Google Play store until an update is available.

Rate this article: 
No votes yet