According to Security Intelligence, Android 4.3, the version just prior to current 4.4 Kit Kat, suffers from a security flaw in the Android KeyStore service. This is the part of Android that secures your password, PINs, login info, etc., making it a particularly nasty vulnerability. At this point, approximately 10.3% of Android users are version 4.3. (Not 86%, as some early reports indicated.)
IBM identified this problem nine months ago and shared it with Google immediately. They waited until a patch was available before announcing it to the general public in late June.
Fortunately, it’s not an easy vulnerability to exploit. You would have to install an app that targets this vulnerability before someone on the outside could hack into your data.
This is yet one more argument for making sure you buy an Android device that can have its operating system updated easily and for the long haul.
Thank you to Scott Bryson for sharing this news in our Low End Android Facebook group.
Primary Sources
- Android KeyStore Stack Buffer Overflow slide show, Roee Hay and Avi Dayan, IBM, 2014.06.30
- Android KeyStore Stack Buffer Overflow: To Keep Things Simple, Buffers Are Always Larger Than Needed, Roee Hay, Security Intelligence, 2014.06.23
Further Reading
- Serious Android Crypto Key Theft Vulnerability Affects 10% of Devices, Dan Goodin, Ars Technica, 2014.06.28
- Report: Android 4.3 Devices Vulnerable to Bug, PCMag, updated 2014.06.30
Keywords: #keystoresecurity #androidsecurity #androidnewstoday
Short link: http://goo.gl/l5R1wS
searchword: android4.3glitch
