Android 4.4 contains a fix for yet another – albeit weaker variant – of the so-called MasterKey bug that first surfaced in July.
The vulnerability first shook the security world when mobile security startup Bluebox Security warned about a class of flaw that potentially affected 99 per cent of Android devices. The problem revolved around how Android handled the verification of the integrity of apps.
Security shortcomings meant that malicious parties could alter some of the contents bundled in an app without changing its cryptographic signature. Apps for Android come as .APKs (Android Packages), which are effectively just ZIP archives. Bluebox discovered it was possible to pack an installation file with files whose name is the same as those already in the archive. These renamed files could easily contain malicious code. It discovered the gaping security hole in February and notified Google but a fix didn't arrive until July.
The issue arose because Android checked the cryptographic hash of the first version of any repeated file in an APK archive, but the installer extracts and applies the last version, which might be anything and wouldn't be checked providing it had the same file name as an earlier (legitimate) component.
A similar bug, discovered by Chinese Android researchers, was also fixed in July. It was Java-based but had the same practical consequences - miscreants could upload Trojan-laden .APK files onto online marketplaces that carried the same digital signature as the legitimate app. Both the two earlier issues were resolved with Android 4.3 Jelly Bean, which was released in July.
Investigation of the recently released Android 4.4 source code by Jay Freeman, a mobile security developer best known for his work on iOS and Cydia*, has revealed that it contains a patch for a third flaw along the same lines. The third flaw is less easy to exploit than the two previous variants, but is still potentially problematic. It arises because it is possible to manipulate the filename length field in a ZIP file's metadata.
"The local header filename length is deliberately set so large that it points past both the filename and the original file data," explains veteran antivirus expert Paul Ducklin on the Sophos Naked Security blog. "This presents one file to the verifier, and a different file to the operating system loader."
Android maintainers have quashed the latest bug by altering the Java-based validation code "so that it follows a similar path through the data to that used by the loader," according to Ducklin, who describes this as an effective (if not holistic) fix.
Freeman has published a detailed analysis of the flaw, along with proof-of-concept code, here. The third flaw was found at around the same time as the others, but only patched this month.
All three flaws stem from the features of the Zip file format, designed in an earlier era of computing, which featured filename redundancy in case files had to be split across multiple floppy disks. These and other antiquated features are hard-wired into the Zip format, handing over security issues to Android Packages built on the foundations of the format as a result.
Sources have confirmed that all three bugs have been fixed in Android 4.4 and that Google's OEM hardware partners have been notified. It might still take some time for the roll out of the update by device manufacturers, if the progress through the Android eco-system of previous updates is any guide.
El Reg was able to confirm through Romanian software security firm Bitdefender that the latest MasterKey vulnerability has been fixed.
Bogdan Botezatu, senior e-threat analyst at Bitdefender, said: "The code committed into the linked GIT repository has changed in the 4.4 RC1 iteration and the attack vector described in the article has – to our knowledge - been mitigated.
"We also tried to reproduce the described exploit in the compiled AOSP builds that started showing up since Friday with no avail. However, we are looking into the unit to see if special scenarios could allow for similar exploits," he added.
BitDefender Botezatu's discovered two benign gaming apps featuring the original MasterKey Vulnerability in the official Google Play store two weeks after the problem first surfaced so his reassurance that there's no further hidden problems in Android along the same lines, at least for now, is welcome.
*Cydia is an application that lets fanbois search for and install software packages on jailbroken iOS Apple devices.