99% Android Devices Totally Open — How Long Before Open Source Security and Code Level Integrity Are Appreciated?

Security, Software
Click on Image to Enlarge
Click on Image to Enlarge

Mobile security startup Bluebox Security has unearthed a vulnerability in Android’s security model which it says means that the nearly 900 million Android phones released in the past four years could be exploited, or some 99% of Android devices. The vulnerability has apparently been around since Android v1.6 (Donut), and was disclosed by the firm to Google back in February. The Samsung Galaxy S4 has already apparently been patched.

It’s likely that Google is working on a patch for the vulnerability. We’ve reached out to the company for comment and will update this story with any response.

Bluebox intends to detail the flaw at the Black Hat USA conference at the end of this month but in the meanwhile it’s written a blog delving into some detail. The vulnerability apparently allows a hacker to turn a legitimate app into a malicious Trojan by modifying APK code without breaking the app’s cryptographic signature. Bluebox says the flaw exploits discrepancies in how Android apps are cryptographically verified and installed. Specifically it allows a hacker to change an app’s code, leaving its cryptographic signature unchanged — thereby tricking Android into believing the app itself is unchanged, and allowing the hacker to wreak their merry havoc.

Read full article.

Click on Image to Enlarge
Click on Image to Enlarge

Phi Beta Iota:  Winn Schwartau, Jim Anderson, Bill Caelli, and Robert Steele all sounded the alarm and made specific recommendations in 1994 that were ignored.  This is a good opportunity to reboot everyone’s understanding of open source security and open source everything.

See Also:

2010: OPINION–America’s Cyber Scam

1994 Sounding the Alarm on Cyber-Security

DefDog: $15 Billion for Cyber-Command, Zero for Actual Needs + Meta-RECAP

Open Source Everything (OSE) – List and Book

Open Source Everything Manifesto (P2P Foundation)

The Open Source Everything Manfesto (Reality Sandwich)

Opt in for free daily update from this free blog. Separately The Steele Report ($11/mo) offers weekly text report and live webinar exclusive to paid subscribers, who can also ask questions of Robert. Or donate to ask questions directly of Robert.