The words “Master Key bug” would probably send shivers down the spines of anyone who is even remotely concerned about the security of the Android platform and of their devices. It seems that it is an on-going battle as the newly released Android 4.4 contains a fix to yet another but weaker variant of the bug.
The bug made headlines in July when Bluebox Security disclosed the vulnerability that could potentially affect 99 percent of all Android devices. The issue is with how Android handles the verification and installation of apps, which has a security hole that will allow malicious people to modify the content of an app without changing the cryptographic signature that is used to ensure the app’s identity. Bluebox gave Google and device manufacturers time to patch bug #8219321, but only a few devices received the fixed after a few months. In the meantime, a related bug #9695860 was also fixed.
Saurik, who develops the Cydia set of security-oriented apps, dived into the Android 4.4 source code released to the AOSP and discovered a patch for bug #9950697. This variant of the Master Key bug is considered less severe than two previous bugs but is still strong enough to cause an exploit. Saurik has provided a more detailed analysis of the bug as well example programs that tries to gain access via the bug. Saurik has also updated his Cydia apps that will patch the bug on installed and rooted systems.
All three bugs have been fixed in Android 4.4 and in the AOSP and hardware partners have been notified. While those using Google’s Nexus devices, or even those running custom ROMs, might receive the patch as soon as possible, it might take some time before OEMs roll out an update, in no small part due to the layers of modifications they apply on top of Android.