Since Bluebox announced that it had found a "masterkey" hole in Android, various security researchers have been looking into what the problem could be. It appears that the problem is a simple implementation bug in how Android verifies JAR/ZIP/APK files. An issue on the CyanogenMod developers' tracker sheds more light on the problem. It is possible to take an Android archive file and add a modified version of a Java class file before the original file in the archive. When the Android operating system goes to verify the signature on the file, it examines the latter, original file and, as this is unchanged, will pass the archive as valid. But when the archive is actually used, it is the first, modified version of the file in the archive that is used.

CyanogenMod project lead, Steve Kondik, has already committed a patch by Geremy Condra of Google, which adds a check for duplicate names and throws an exception when one occurs. Examining the current Android Open Source Project source tree shows that this fix has not been applied to the relevant file, which is in line with what Jeff Forristal, CTO of Bluebox said in interviews.

The appearance of two files with identical names in a JAR/ZIP/APK archive will provide application scanners with a simple signature for detecting modified archives and, presumably, it is this that Google scanned for when checking the content of the Google Play Store. An attacker would still need to introduce a modified APK into the delivery chain somehow. It is still unclear how Bluebox's claim that manipulating system packages could give attacks arbitrary privileges as, in order to install or replace a system package, an attacker would already need system privileges.

The big problem for Google now though, is to ensure that the tens of millions of Android devices that have been sold do get updated with fixed firmware. A first step would at least be to apply the fix to the open source version of Android officially. Although the threat can be mitigated by better app store hygiene.

(djwm)