The words “Master Key bug” would probably send shivers down the spines of anyone who is even remotely concerned about the security of the Android platform and of their devices. It seems that it is an on-going battle as the newly released Android 4.4 contains a fix to yet another but weaker variant of the bug.

The bug made headlines in July when Bluebox Security disclosed the vulnerability that could potentially affect 99 percent of all Android devices. The issue is with how Android handles the verification and installation of apps, which has a security hole that will allow malicious people to modify the content of an app without changing the cryptographic signature that is used to ensure the app’s identity. Bluebox gave Google and device manufacturers time to patch bug #8219321, but only a few devices received the fixed after a few months. In the meantime, a related bug #9695860 was also fixed.

Saurik, who develops the Cydia set of security-oriented apps, dived into the Android 4.4 source code released to the AOSP and discovered a patch for bug #9950697. This variant of the Master Key bug is considered less severe than two previous bugs but is still strong enough to cause an exploit. Saurik has provided a more detailed analysis of the bug as well example programs that tries to gain access via the bug. Saurik has also updated his Cydia apps that will patch the bug on installed and rooted systems.

All three bugs have been fixed in Android 4.4 and in the AOSP and hardware partners have been notified. While those using Google’s Nexus devices, or even those running custom ROMs, might receive the patch as soon as possible, it might take some time before OEMs roll out an update, in no small part due to the layers of modifications they apply on top of Android.

VIA: AndroidBeat

  • Franc012

    “it is unknown whether those fixes have trickled down to end users via manufacturers and carriers”

    So, this whole story is uncorroborated??? That’s good sleuthing on the author’s part!

    • Justin Case

      Author fails badly on this story, yes some OEMs have backported patches for this vuln back to at least 4.2.2

  • So the bug that’s patched by 4.4 means that 4.4 contains this bug? That makes sense…

  • jlninja

    Google releases a version with a known bug thats found by others within a few days of its release, and you blame others for a slowdown in getting the patch. GOOGLE NEVER SHOULD HAVE RELEASED IT WITH THE BUG !!!!!

    • Justin Case

      They didn’t, author either poorly worded the article, or didn’t understand the subject. You didn’t read the comments