Matt Posted August 2, 2013 Report Posted August 2, 2013 (edited) The researcher behind the discovery of the infamous Android 'Master Key' vulnerability gave his long-awaited technical presentation detailing the high-profile mobile vulnerability.Bluebox chief technology officer Jeff Forristal said that the flaw was originally discovered while working on a mapping application. In order to project his mapping data onto the Maps application in Android, he resorted to a technique in which code was inserted into the APK code the application.Before long, he realised the trick could have larger implications.“Then I stopped and said I'm pretty sure this is not something I am suppsed to be able to do,” Forristal mused.After additional research, the vulnerability was disclosed to Google in February. In the weeks and months that followed, both Google and its OEM partners received and distributed a patch for the flaw.While deployment varied by vendor, Forristal noted that Samsung was particularly dilligent in fixing the flaw.“They actually issued an update to fix this bug on an old Gingerbread Samsung device,” he said.“Props that they didn't just fix their new stuff, they went back to fix their old Gingerbread stuff.”Less than a month before Forristal was set to present the flaw at Black Hat, he issued a teaser blog to publically introduce the flaw. The post touched off a media firestorm and speculation that nearly every Android device was vulnerable.Forristal said that while the hysteria generated by the report was exaggerated, counter-claims that the overwhelming majority of users had untrusted applications sources disabled and thus would be protected by Google Play. He cited a company study which found some 69 percent of users have the protection disabled.“A lot of people were essentially saying that the number of users who were changing this setting was statistically near zero, they only go to Google Play,” he argued.The Bluebox CTO noted that trusted sources such as Amazon's Android store and enterprise mobile app services require users to disable the untrusted sources protection.Sursa V3.co.uk Edited August 2, 2013 by Matt Quote
