chicksdaddy writes "The saga of the application-signing flaw affecting Google's Android mobile phones took another turn Tuesday when a Silicon Valley startup teamed with graduate students from Northeastern University in Boston to offer their own fix-it tool for hundreds of millions of Android phones that have been left without access to Google's official patch. Duo Security announced the availability of an Android utility dubbed 'ReKey' on Tuesday. The tool allows users to patch the so-called 'Master Key' vulnerability on Android devices, even in the absence of a security update from Android handset makers and carriers who service the phones, according to a post on the Duo Security blog. Jon Oberheide, the CTO of Duo Security, said that ReKey provides an in-memory patch for the master key vulnerability, dynamically instrumenting the Dalvik bytecode routines where the vulnerability originates, patching it in-memory. Oberheide said that ReKey will also 'hook' (or monitor) those routines to notify you if any malicious applications attempt to exploit the vulnerability. Despite the availability of a patch since March, many Android users remain vulnerable to attacks that take advantage of the application signing flaw. That is because Android handset makers have been slow to issue updates for their handsets. For platforms (HTC and Samsung) that have been patched, carriers delayed the rollout to customers further. 'The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,' said Oberheide. However, the fragmentation of the Android ecosystem is significant enough that it is no longer feasible for Google to take over responsibility for distributing patches. Third parties may need to step in to fill the void."
A related article makes the case that the release of the Master Key vulnerability started an important conversation within the open source community