Google has released a patch to fix a four year security hole in Android, the so-called “Master Key vulnerability” which could potentially have left smartphone and tablet users at risk of compromised non-Play Store apps, though users will have to wait for handset manufacturers to actually push the fix out. The security hole, identified by Bluebox Security, affected how Android apps were cryptographically verified and installed, with the exploit allowing those with nefarious intentions to modify the software but without changing the encryption.
Although the original announcement of the security issue was cloaked in ominous talk of potentially 900 million devices being affected, the reality was somewhat more mundane. Bluebox had already reported the flaw to Google earlier this year, and an initial fix had been developed for apps in the Play Store.
Now, in fact, the only real way to fall foul of the exploit is by installing an app through third-party means – i.e. transferring an APK not downloaded from the Play Store to a phone, and installing it manually – which most Android users don’t do. According to Google, ZDNet reports, that has been patched too, with a fix passed on to OEMs.
Google can “confirm that a patch has been provided to our partners” Android Communications Manager Gina Scigliano said in a statement. “Some OEMs, like Samsung, are already shipping the fix to the Android devices.”
Of course, the hiccup in the process could be the long-standing one surrounding Android updates: the fact that users are dependent on manufacturers pushing out timely updates, even to what might be considered legacy devices.
Still, even if you’re left waiting, the message from Google is that the risk is minor. “We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools” Scigliano said of the exploit, pointing out that “Google Play scans for this issue – and Verify Apps provides protection for Android users who download apps to their devices outside of Play.”