Got an Android device, that’s not a Samsung Galaxy S4? Download this. Then use it to check for the Master Key exploit (the app will walk you through it). Why? While you’re waiting to see what’s wrong with your phone, we’ll explain what’s going on.
Bluebox is a security company that specializes, as you may have guessed from the name if you’re an old-school nerd, in mobile phone and mobile computing security. And recently they made something of a splash by turning up an exploit they call Master Key. And it’s a singularly nasty exploit that affects 99% of all Android devices.
Essentially, all Android apps have a “signature”, an encrypted bit of business that tells Google that, yes, this app is legitimate and no, this app has not been modified. One problem, though; a gap in how these signatures are verified means a smart hacker can mess around with the app while leaving the cryptographic signature completely unchanged. In effect, this means that any app, any app at all, could be turned into a Trojan, breaching your phone and collecting all the data on it. Including, say, your credit card numbers, Facebook credentials, and other fun stuff.
Worse, this flaw dates way, way back, to Android 1.6, meaning almost every device on the market and in use is vulnerable to the exploit. The good news is that Google is aware of the problem and is fixing it: The bad news is that your device manufacturer has to create a firmware update and plug the hole themselves. In short, we’d avoid downloading any apps until you get the all clear from your hardware manufacturer. Except, of course, Bluebox’s app, which will also check your device for any security vulnerabilities related to Master Key.
Unless the app itself has been breached. Isn’t paranoia fun?
Dan Seitz is an obsessive nerd living in New England. He lives in the Boston area with a fiancee, a dog, a cat, and far too many objects with processors.