{"id":2885,"date":"2013-07-11T12:30:57","date_gmt":"2013-07-11T16:30:57","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=2885"},"modified":"2013-07-11T12:30:57","modified_gmt":"2013-07-11T16:30:57","slug":"google-critical-android-security-flaw-wont-harm-most-users","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/07\/11\/google-critical-android-security-flaw-wont-harm-most-users\/","title":{"rendered":"Google: Critical Android security flaw won't harm most users"},"content":{"rendered":"

\"\"<\/a><\/p>\n

A security flaw could affect 99 percent of Android devices, a researcher claims, but the reality is that most Android users have very little to worry about.
\nBluebox, a mobile security firm, billed the exploit as a \u201cMaster Key\u201d that could \u201cturn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.\u201d In a blog post last week, Bluebox CTO Jeff Forristal wrote that nearly any Android phone released in the last four years is vulnerable.
\nBluebox\u2019s claims led to a fair number of scary-sounding headlines, but as Google points out, most Android users are already safe from this security flaw.
\nSpeaking to ZDNet, Google spokeswoman Gina Scigliano said that all apps submitted to the Google Play Store get scanned for the exploit. So far, no apps have even tried to take advantage of the exploit, and they\u2019d be shut out from the store if they did.
\nIf the attack can\u2019t come from apps in the Google Play Store, how could it possibly get onto Android phones? As Forristal explained to Computerworld last week, the exploit could come from third-party app stores, e-mailed attachments, website downloads and direct transfer via USB.
\nGoogle Play\u2019s app verification feature.
\nBut as any Android enthusiast knows, Android phones can\u2019t install apps through those methods unless the user provides explicit permission through the phone\u2019s settings menu. The option to install apps from outside sources is disabled by default. Even if the option is enabled, phones running Android 4.2 or higher have yet another layer of protection through app verification, which checks non-Google Play apps for malicious code. This verification is enabled by default.
\nIn other words, to actually be vulnerable to this \u201cMaster Key,\u201d you must enable the installation of apps from outside Google Play, disable Android\u2019s built-in scanning and somehow stumble upon an app that takes advantage of the exploit. At that point, you must still knowingly go through the installation process yourself. When you consider how many people might go through all those steps, it\u2019s a lot less than 99 percent of users.
\nStill, just to be safe, Google has released a patch for the vulnerability, which phone makers can apply in future software updates. Scigliano said Samsung is already pushing the fix to devices, along with other unspecified OEMs. The popular CyanogenMod enthusiast build has also been patched to protect against the peril.
\nAndroid\u2019s fragmentation problem does mean that many users won\u2019t get this patch in a timely manner, if at all, but it doesn\u2019t mean that unpatched users are at risk.
\nNone of this invalidates the work that Bluebox has done. Malicious apps have snuck into Google\u2019s app store before, so the fact that a security firm uncovered the exploit first and disclosed it to Google is a good thing. But there\u2019s a big difference between a potential security issue and one that actually affects huge swaths of users. Frightening headlines aside, this flaw is an example of the former.
\nvia Google: Critical Android security flaw won’t harm most users | TechHive<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

A security flaw could affect 99 percent of Android devices, a researcher claims, but the reality is that most Android […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,9],"tags":[65,424,953],"class_list":["post-2885","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-android","tag-google","tag-security-flaw"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-Kx","jetpack-related-posts":[{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":2885,"position":0},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9516,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/02\/03\/to-the-woodshed-with-you-this-week-in-tech-704\/","url_meta":{"origin":2885,"position":1},"title":"To the Woodshed With You! – This Week in Tech 704","author":"NCCT","date":"February 3, 2019","format":false,"excerpt":"https:\/\/youtu.be\/14UX3TQ0K3Q FaceTime Flaw, Apple Spanks Facebook and Google, Huawei Suspicions, FBI Wants Your DNA, and more. \u2022 How to Watch the Superbowl Commercials Without All That Annoying Football \u2022 Apple's Not So Horrible Quarterly Earnings \u2022 Facetime Flaw Dulls Apple's Privacy Shine \u2022 Apple Spanks Facebook and Google for Data\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/14UX3TQ0K3Q\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9910,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/02\/11\/slap-and-flop-siri-ios-18-3-update-apple-music\/","url_meta":{"origin":2885,"position":2},"title":"Slap and Flop – Siri, iOS 18.3 Update, Apple Music","author":"NCCT","date":"February 11, 2025","format":false,"excerpt":"https:\/\/youtu.be\/Xwqi58VczQ4 What's going on with Siri? iOS 18.3 update is out now, along with a fix to a zero-day flaw. You can buy iPhones on eBay with TikTok installed on them as TikTok is still not available for download on the App Store. And on January 27th, 2010, Steve Jobs\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/Xwqi58VczQ4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9930,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/05\/16\/fbi-says-toss-your-old-router\/","url_meta":{"origin":2885,"position":3},"title":"FBI Says Toss Your Old Router","author":"NCCT","date":"May 16, 2025","format":false,"excerpt":"https:\/\/youtu.be\/scR199zRjvA On Security Now, Steve talks about the FBI's suggestion that we should be tossing out our old routers.","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/scR199zRjvA\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9804,"url":"https:\/\/nccomputertech.com\/techtalk\/2024\/11\/08\/maximum-iceland-scenario-data-caps-3rd-party-android-stores-nuclear-amazon\/","url_meta":{"origin":2885,"position":4},"title":"Maximum Iceland Scenario – Data Caps, 3rd Party Android Stores, Nuclear Amazon","author":"NCCT","date":"November 8, 2024","format":false,"excerpt":"https:\/\/youtu.be\/P5MkCwktKz0 Data Caps, 3rd Party Android Stores, Nuclear Amazon \u2022 Google must crack open Android for third-party stores, rules Epic judge \u2022 Google asks 9th Circuit for emergency stay, says Epic ruling \u2018is dangerous\u2019 \u2022 Canceling subscriptions is about to get easier \u2022 The FCC is looking into the impact\u2026","rel":"","context":"In "Software"","block_context":{"text":"Software","link":"https:\/\/nccomputertech.com\/techtalk\/category\/software\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/P5MkCwktKz0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9307,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/03\/11\/this-week-in-tech-657-dadgum-cell-phone\/","url_meta":{"origin":2885,"position":5},"title":"This Week in Tech 657: DadGum Cell Phone","author":"NCCT","date":"March 11, 2018","format":false,"excerpt":"https:\/\/youtu.be\/KGrJJj_8YHU SXSW features killer robots and killer barbeque. Alexa's spontaneous laugh makes us afraid of an AI takeover. Amazon wants to take over your checking account. Can blockchain reinvent fintech? Android users more loyal than iOS users. Is AI really all that smart? Apple hires M. Night Shyamalan. Millennials love\u2026","rel":"","context":"In "Social Media"","block_context":{"text":"Social Media","link":"https:\/\/nccomputertech.com\/techtalk\/category\/social-media\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/KGrJJj_8YHU\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=2885"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2885\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=2885"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=2885"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=2885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}