Jul 19, 2013

    Avoid cyber harm with care and common sense

    The Star/Asia News Network

    IN RECENT weeks, most tech websites have run stories on a Bluebox report about a vulnerability detected in the Android system.

    The vulnerability is codenamed "Master Key". It allows apps which have already been installed to be modified without its user's awareness.

    The mobile-security company reported that 99 per cent of Android devices (all but the Samsung Galaxy S4) are prone to this vulnerability.


    Explaining the latest mobile scare on its blog, online security provider Trend Micro said the vulnerability is related to how Android apps are signed.

    All Android apps have a digital signature from their developers, which verifies that the app came from the developer and was not modified en route.

    An app can be updated only if the new version of the app has a matching signature from the same developer.

    The vulnerability is in that last step. What researchers have found is a way for attackers to update an already-installed app even if they do not have the original developer's signing key.

    In short, any installed app can be updated with a malicious version.

    Technically, there is no "master key" that has been breached. Any app can be modified and used for malicious purposes, as there's no "master key" in the first place.


    This vulnerability can be used to replace legitimate apps on an Android device with malicious versions.

    Apps with many permissions - like those from the phone's manufacturer or the user's service provider - are at particular risk.

    Once on the device, the modified apps will behave like a malicious app, except that the user would think they were legitimate apps.

    For example, a modified or Trojanised app for a bank would continue to work for the user, but the credentials would be sent to an attacker.

    Google has since released a patch to fix this issue. While this is good news, the fragmentation of the Android ecosystem means that the update won't be rolled out to everyone immediately.

    This is because the patch will first have to go through the device manufacturers, and telecommunication carriers in certain cases, before being made available to the end users.

    However, there's not much reason to be paranoid about the vulnerability in the meantime. What we should do is to educate ourselves about ways to reduce the risk of exposing ourselves to such a vulnerability.


    Users should ensure that they download their apps only from reliable sources.

    For Android users, the Google Play Store is the most secure place to download apps. This is because apps that make it there would have gone through some form of screening.

    While some rogue apps do make it through the screening, the chance of coming across such an app is minimal.

    Users should stay away from pirated or cracked apps from third-party sources such as black markets.

    If people can spend as much as they do on Starbucks, I'm pretty sure they can afford to pay for apps which they will find useful, so as to support app developers.


    Another piece of advice is to be sceptical when you come across any suspicious-looking apps.

    For example, you should know that something probably isn't right when you see a free app promising you pictures and videos of sexy girls in bikinis.

    When downloading an app, it is important to be aware of the permissions that the app requires when you are installing it.

    You should be wary of apps which require permissions that don't make sense, such as a wallpaper app that requires permissions to control phone calls.


    The need for an antivirus in Android smartphones is still being debated widely but, in the case of the Master Key vulnerability, it looks like an antivirus will be helpful as most mobile-security providers have been working to protect Android users from this threat.

    At the end of the day, there's really nothing to be alarmed about.

    Exercising proper care and caution, while applying some common sense, can protect you from cyber harm and threats.

    It is a good idea to download the Bluebox Security Scanner ( to scan your Android device for any modified apps that may be trying to take advantage of the Master Key vulnerability. The scanner also checks if the security patch has been installed in your device.

    The writer is a full-time auditor and big-time gadget lover. His commentary appeared in The Star newspaper on Wednesday.