Question Mark on Android’s Security?

Android’s security has become questionable! Security researchers have found a bug in the mobile phone operating system of Google, which could affect up to bewildering 99% of Android phones currently being used by consumers. 

According to a report published on the blog of Bluebox Security research firm, a ‘master key’ has been found which could give cyber-thieves unrestricted access to cellular phones and tablets running on the Android operating software.

Researchers have further said that the bug was present since 2009 and that about 900 million handsets are at risk. Jeff Forristal, the chief technology officer of Bluebox has said that the implications of the finding were ‘huge’.

The problem lies in the verification process of security, which has been used on Google Play apps store since the launch of Android 1.6. This has the ability to leave about 900 million devices exposed to hackers, who can take an undue advantage of the always-on, always-connected and always-on–the-move (and so, very difficult to detect) phones and could have access to the data collected by the app, and more alarmingly, if the app created by the manufacturer of the device gets hacked, the hacker could not only read random application data on the phone (SMS, emails, documents, etc) and restructure the total stored account and passwords, but even could capture the phone’s normal functioning and make arbitrary calls, send SMSs, turn on the camera and also record calls. Finally the most fearsome action hackers can do is to create a botnet.

One important application of Android is the cryptographic signatures which is useful for the Android to ascertain whether app is legitimate and that it is not been tampered or modified. Now the case is like the app’s code can be changed without changing the cryptographic signature, thus freely allowing a malicious author to cheat Android for believing that the app has not been changed.

The details of the bug 8219321 were disclosed responsibly by Bluebox Security, regarding their close relation with Google. It is up to the manufacturers of the devices to create and release firmware updates for the device (and further for users to install these updates). These updates will be available depending upon various factors like manufacturer and the phone’s model.  Some manufacturers have taken care already to fix the problem – like Samsung Galaxy S4. However, the Google’s own Nexus has not fixed it yet.    

You can take a little sigh of relief (if you are using an android phone) because according to experts, currently there is no evidence that the bug has been exploited.