Android ‘Master Key’ Security Flaw Discovered

Android 'Master Key' Security Flaw DiscoveredA “master key” that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox. The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.

‘Loophole’

The loophole has been present in every version of the Android operating system released since 2009. Google said it currently had no comment to make on BlueBox’s discovery. Writing on the BlueBox blog, Jeff Forristal, said the implications of the discovery were “huge”.


‘Malicious changes’

The bug emerges because of the way Android handles cryptographic verification of the programs installed on the phone. Android uses the cryptographic signature as a way to check that an app or program is legitimate and to ensure it has not been tampered with. Mr Forristal and his colleagues have found a method of tricking the way Android checks these signatures so malicious changes to apps go unnoticed.

Any app or program written to exploit the bug would enjoy the same access to a phone that the legitimate version of that application enjoyed. The danger from the loophole remains theoretical because, as yet, there is no evidence that it is being exploited by cyber-thieves.

Do you think the discovery of this “master key” to Android is significant? Can Google find a way to remedy this loophole?

Source: BBC News

Image: UK Mobile Review

ACLU: Employers Have No Right to Ask For Facebook Password

Your Facebook password is none of your new boss’ business. That’s what the American Civil Liberties Union is saying after reports that employers are increasingly asking for access to job applicants’ social-media accounts.

“It’s an invasion of privacy for private employers to insist on looking at people’s private Facebook pages as a condition of employment or consideration in an application process,” attorney Catherine Crump said in a statement from the ACLU. “People are entitled to their private lives.”

Recently, multiple cases have come to light in which companies have either asked for passwords to Facebook or required that applicants “friend” people at those companies. An Associated Press report this week highlighted Justin Bassett, a New York statistician who said that, during a job interview, the interviewer pulled up his Facebook page and asked for his password. He said he refused.


The ACLU said it’s found an increasing number of companies with such policies on Facebook. They say it’s more common with public agencies, such as law enforcement. On an ACLU Facebook page Thursday, followers were, not surprisingly, overwhelmingly against the concept: “I consider it a violation of personal privacy,” one user wrote. “Will the next step be to request a key to my house?”

It is technically against Facebook’s Terms of Service to share a password: “You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account,” the agreement reads. In addition to Maryland, lawmakers in Illinois are considering legislation that would ban the practice.

Source: CNN

Image: Press TV