Black Hat: Android Master Key Vulnerability Revealed
Page 1 of 1
This week a the Black Hat Security conference, Security Researcher, Jeff Forristal delivered a talk that detailed precisely what the Android master key vulnerability is all about. As Forristal explained, Google's Android had multiple vulnerabilities in how the operating system verifies JAR/ZIP/APK files, which run on Android devices.
Calling it a master key flaw is a bit of a misnomer as it's not a single key, Forristal said. Rather it's a family of bugs that allow an attack to bypass signature verification. There are at least four currently known variants of the master key flaw.
Forristal found the flaw by accident during a project in which he and his team worked on getting Android's Google Maps program to report an incorrect location. This challenge eventually led him down the road to the discovery of the master key flaw.