Black Hat: Is Your Android Device Defended Against Untrusted App Sources?

Early reports on the Android Master Key bug discovered by researchers at Bluebox claimed that as high as 99 percent of all Android devices could be vulnerable. Later reports backtracked substantially, noting that only users who turned off the feature that prevents installing apps from untrusted sources could possibly be affected. Nobody does that, right? In his Black Hat presentation, Bluebox's Jeff Forristal explained that it's not that simple.
The main thrust of Forristall's presentation involved explaining the Master Key vulnerability in great detail. He also reported on several other related bugs that could allow modification of apps without affecting the Android verification process. Most of these involved disparities between different ZIP file parsing modules within Android.
Common Wisdom?
At the end of the presentation Forristall addressed the contention that almost all users are protected by the setting that prohibits installing apps from untrusted sources. "'Everyone knows' that no users change the 'allow untrusted sources' setting," said Forristall. "Really? Where'd this data come from?" Those reports don't cite a source.
The Bluebox Security Scanner reports totally anonymous telemetry data back to Bluebox each time someone runs a scan. One of the items included in the telemetry is whether or not the device is set to allow apps from untrusted sources.
Forristall challenged the audience to guess how many users turned off protection against untrusted sources, in 25 percent increments. I guessed from 50 to 75 percent, and I scored. "How many users allow untrusted sources?" asked Forristall. "69 percent of the people flipped the switch!"

He noted that the sample was just a quarter of a million users. "I feel the 69 percent figure is high," said Forristall, "probably due to our sampling population. I'd love to see this on 10 or 100 million. Even if it was closer to 20 percent, it's still big, way bigger than those 'experts' think."
Why So High?
"There are a lot of reasons motivating users to disable this protection," noted Forristall. "It's not just for pirated applications. Amazon Appstore, for example, they do a lot of work to ensure it's malware-free, but if you put it on your non-Amazon device, step one for installation is to allow apps from sources other than Google Play. Enterprises need to have that setting off for their BYOD and MDM solutions, and to distribute in-house apps."
"There are a number of compelling reasons to change that setting," concluded Forristall, "and once they change it, it won't get put back." Of course, that's the same argument some experts used to predict that no users would make the change in the first place—it's just too much work.
That setting is theoretically irrelevant if you never go anywhere for apps but Google Play, but why take chances? If I were an Android user, I'd definitely enable the ban on untrusted app sources.