Bluebox releases scanner for Android signing hole
Bluebox, the company that disclosed the existence of a flaw in Android which allowed APK files to be covertly modified, has now released the "Bluebox Security Scanner" on the Google Play and Amazon Android Store as a free app. The app checks whether the device it is installed on is vulnerable to the problem, checks whether the device allows installations from sources other than the Google Play Store, and scans applications for the presence of any code that appears to exploit the vulnerability.
The latter feature caused some consternation among bloggers as, initially, it reported any application which was read protected as "trying to evade the scanner"; the app has been updated to version 1.2, which now only offers a count of the read-protected applications it has quietly skipped. Although the app is packaged as the "Bluebox Security Scanner", internally it refers to itself as the "MasterKey Security Scanner" even though there is no master key involved in the process. The recently released exploit for the bug merely unpacks an APK archive, allows files to be modified and then repacks the archive, storing both the original and modified version of any changed file. It is the duplication that tricks Android into believing the APK file has not been tampered with.
The Security Scanner should only be used as an adjunct to other security software on Android as it is very much focused on testing for this one vulnerability. In testing, the software correctly identified that the Samsung Galaxy S4 was not vulnerable, being one of the few phones that has had the simple fix applied to it.
(djwm)