Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Android vulnerability fix distribution a key issue

Zscaler : 18 July, 2013  (Technical Article)
Zscaler comments on the need for effective distribution of key vulnerabilities to existing user base of Android based smartphones
Android vulnerability fix distribution a key issue

Following the news that Chinese hackers have discovered a second Android master key vulnerability, Michael Sutton, VP Security Research at Zscaler comments:

“Both the original 'master key' vulnerability and this latest 'integer mismatch' vulnerability allow a hacker to inject malicious code into an Android application (.apk) file and the injected code won't be detected due to issues with the verification logic. The techniques are different, but they achieve a similar goal. The 'integer mismatch' isn't as universal, as it's dependent upon the specific .apk that you're injecting into, but it does appear to impact most .apk's.

While Google will no doubt issue a quick fix, the greater concern is getting that fix onto handsets in use today. Due to the nature of the Android ecosystem, having Google update the main branch of the Android operating system with a fix is only step one. The master key vulnerability discovered by Jeff Forristal was reported to Google months ago, and we're still waiting for patches from certain hardware vendors. It appears that this time around Google doesn't have the luxury of having the vulnerability reported privately. What does this mean for the average end user? Google still validates apps in the Google Play store to ensure that they aren't harbouring malware either overtly, or using a technique such as one of the aforementioned vulnerabilities. Therefore, users should stick to 'official' app stores such as Google Play to avoid the possibility of downloading a Trojanised app.”

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo