Forgot your password?
typodupeerror
Android Google Security

Students, Start-Up Team To Create Android 'Master Key' Patch App 87

Posted by Soulskill
from the exercise-for-the-readers dept.
chicksdaddy writes "The saga of the application-signing flaw affecting Google's Android mobile phones took another turn Tuesday when a Silicon Valley startup teamed with graduate students from Northeastern University in Boston to offer their own fix-it tool for hundreds of millions of Android phones that have been left without access to Google's official patch. Duo Security announced the availability of an Android utility dubbed 'ReKey' on Tuesday. The tool allows users to patch the so-called 'Master Key' vulnerability on Android devices, even in the absence of a security update from Android handset makers and carriers who service the phones, according to a post on the Duo Security blog. Jon Oberheide, the CTO of Duo Security, said that ReKey provides an in-memory patch for the master key vulnerability, dynamically instrumenting the Dalvik bytecode routines where the vulnerability originates, patching it in-memory. Oberheide said that ReKey will also 'hook' (or monitor) those routines to notify you if any malicious applications attempt to exploit the vulnerability. Despite the availability of a patch since March, many Android users remain vulnerable to attacks that take advantage of the application signing flaw. That is because Android handset makers have been slow to issue updates for their handsets. For platforms (HTC and Samsung) that have been patched, carriers delayed the rollout to customers further. 'The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,' said Oberheide. However, the fragmentation of the Android ecosystem is significant enough that it is no longer feasible for Google to take over responsibility for distributing patches. Third parties may need to step in to fill the void." A related article makes the case that the release of the Master Key vulnerability started an important conversation within the open source community.
This discussion has been archived. No new comments can be posted.

Students, Start-Up Team To Create Android 'Master Key' Patch App

Comments Filter:
  • Rooted Only (Score:5, Insightful)

    by nurb432 (527695) on Tuesday July 16, 2013 @10:14PM (#44304929) Homepage Journal

    Leaves out 99% of the devices out there.

  • The patching thing is a bit of a joke. If I had an android phone, I'd want an equivalent to Ubuntu to provide a 3rd-party OS with regular updates. I think 3rd-party Android distributions are out there, do they handle security updates well?
    • by Anonymous Coward

      Yes. I run a flavor of the AOSP (android open source project) and was patched virtually first day the code was given out by google. I'd recommend a nightly build for security, even if the dailies add new functional faux pas at points. they usually get fixed, but documented security stuff is fixed pretty quick. even if say google is informed, doesnt release code - if the android community at large is informed, it gets pushed into the larger releases pretty quick.

      • by Xicor (2738029)
        yea, i use aokp and i love it. that being said, it isnt google's fault that they cant get the patches out to everyone as soon as they create them. the problem lies with the cell phone distributors who consistently take forever to install all their adware and crapware onto each patch before deployment. it takes at&t over a year to release the operating systems on their phones, whereas a rooted phone can get it instantly.
        • Mind you, I have a stock Galaxy Nexus and it is yet to offer the patch. If Google can't even provide a fix to the core community, what hope does OEM users have?
          • by Ravadill (589248)
            The problem with the Galaxy Nexus is that Samsung are in charge of a updates for a lot of the variants of this phone. There has been some debate on whether it should be called a true "nexus" phone at all.
        • by RogerWilco (99615)

          Which in turn is Google's fault for designing Android to be sold that way. They deliberately choose not to have control over the fragmentation and issues like this.

        • by jeffmeden (135043)

          yea, i use aokp and i love it. that being said, it isnt google's fault that they cant get the patches out to everyone as soon as they create them. the problem lies with the cell phone distributors who consistently take forever to install all their adware and crapware onto each patch before deployment. it takes at&t over a year to release the operating systems on their phones, whereas a rooted phone can get it instantly.

          Except, my "adware and crapware" laden Samsung Galaxy S3 from Verizon was patched a few days after the story was in the news, without me rooting or romming or anything. Nexus devices that get updates straight from Google (who has publicized the patched code) have not been patched via update yet. Phones running totally custom ROMs (which is very different from rooting, fyi) can obviously get the update whenever the ROM maintainer releases a patch, or if their ROM isn't maintained (a lot aren't) they can swit

    • by Anonymous Coward

      Indeed some do. Cyanogenmod is probably the most mature of them. By nature that means they're not always the fastest to new features, but they're reliable and thorough.

      Check out the most recent weekly review post on their site; it mentions the security issues brought to light last week and the two point releases in response.

      http://www.cyanogenmod.org/blog/this-week-in-cm-july-12-2013

      • by mrbester (200927)

        Hmm. The BlueBox app is reporting that my phone isn't patched even though I'm on 10.1.2...

  • by derfla8 (195731) on Tuesday July 16, 2013 @10:45PM (#44305113)

    Looks like a great way for someone to create a fake update and publicize it as a third-party patch. Google needs to make good on do no evil by proactively doing good.

  • by Scoth (879800) on Tuesday July 16, 2013 @10:56PM (#44305157)

    The reviews on the Play store are showing a fairly high possibility of a bootloop. While I'm all for open source and public patches where appropriate, I expect I'll be passing on this one for now.

  • Odds Are (Score:3, Interesting)

    by Greyfox (87712) on Tuesday July 16, 2013 @11:01PM (#44305189) Homepage Journal
    I'm guessing someone's going to sue them for their efforts. As we've seen time and again, no good deed goes unpunished.
  • by Shavano (2541114) on Tuesday July 16, 2013 @11:30PM (#44305313)

    'The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,' said Oberheide. However, the fragmentation of the Android ecosystem is significant enough that it is no longer feasible for Google to take over responsibility for distributing patches. Third parties may need to step in to fill the void."

    But, but, if it's no longer feasible for Google to provide patches, how come he says his company, with vastly fewer resources, can do it?

    It stands to reason that if Google can't patch your phone because of "fragmentation of the ecosystem," nobody else can either. That makes me not at all anxious to install his patch.

    • by gl4ss (559668)

      they aren't wiling to take the risk of bricking the phones.

      you have to connect through adb or mitm the play store to exploit it anyways.

  • force them to give the unlock codes no questions asked even if you are on a phone payment plan.

    • by wierd_w (1375923)

      This doesn't solve the actual problem in the handset world, especially with android.

      That problem?

      Closed source binary drivers for novelty features in specific handsets that are incompatible with newer android builds, due to improved/newer linux kernels being in them.

      Take for instance, my horribly crippled, antique android device:
      SGH-T839 (Sidekick 4G)

      This device runs Froyo, and has been officially abandoned by T-mobile and Samsung for almost 2 years now. It has a 1ghz hummingbird cpu, and approx 512mb of ra

      • by MrMickS (568778)

        Welcome to the mobile phone handset business model. This was the business model for these suppliers long before Android came along, do you really think they are going to change now? Instead of fixing older handsets they want to release new variants every few months to tempt the unwary with a new bright shiny thing.

        The only company doing anything different, no matter how much Slashdot hate them, is Apple. The limited hardware targets they have to deal with allows them to provide longer support and its someth

    • by Sockatume (732728)

      That'd unlock the SIM card slot, I'm not sure what it would do for getting new software onto the device.

  • by Areyoukiddingme (1289470) on Wednesday July 17, 2013 @12:34AM (#44305547)

    And by you, I mean all you people who don't merely tolerate the behavior of the cellular phone companies, but actually encourage it by giving them silly amounts of money every month.

    It's YOUR DEVICE. We've been down this goddamn road before. Nobody remembers Ma Bell? Nobody remembers Ma Bell owning all devices connected to their precious network? Nobody remembers what a debacle that was? How has this been allowed to arise again?

    A smartphone is a stupid name for a pocket computer. And apparently, thanks to the cellular companies, it's going to behave just as badly as a desktop computer of yesteryear. It's like every Windows 98 machine ever shipped was connected to the modern internet yesterday. Madness.

    And it's all your fault.

    • by wierd_w (1375923)

      My device had root and an unlocked loader within hours of purchase.

      It has never had a major android upgrade.

      Neither the foss community, the rom hack community, the carrier, nor the handset maker have released such a rom.

      At the time, the device was comparable hardware wise to early galaxy handsets. It looked for all the world like the community would be able to support it with little effort as a windfall from supporting galaxy.

      Turns out that wasn't the case.

    • It's your device when you drop it on the ground or it gets messed up by a bad update pushed by the telco, or it simply breaks after 2 years due to intentionally shoddy manufacture. It's their device when you want to root it or run some software they have not blessed via their app store or signing system, or want to transfer the device to another carrier.

      It's the worst of both worlds for the consumer. And we are letting them do it to us via their uncompetitive practices and lock-in contracts.

  • by SuperBanana (662181) on Wednesday July 17, 2013 @12:37AM (#44305559)

    That is because Android handset makers have been slow to issue updates for their handsets.

    I have a Google Nexus 4, supposedly gets all the updates right away, first to get new versions of Android, etc. I haven't seen an update since I bought the phone 6+ months ago. Samsung has apparently patched their phones; Google announced a code fix months ago.

    What's Google's excuse for not patching my device? No carriers involved, current model, etc.

    • by Bieeanda (961632)
      They're probably trying to fold it into google+, like everything else.
    • Yeah - same here - and never mind that the latest version of Android on my Galaxy Nexus made Bluetooth inoperable in my car too. Google has hundreds of bug reports, but are yet to offer a fix or even acknowledge that there is a problem. Sadly Google are letting the very people down they should be giving most attention: The early adopters and Android enthusiasts.
      • by Yebyen (59663)

        Like everywhere else, you (the consumer) are not Google's customer.

        They would honestly rather sell the devices to third parties who will support them and review/push patches and updates. The person selling the device for $100 is not incentivized to provide any support beyond what's required by law. Google charges $200 because you have higher expectations of them, and they are more visible. Samsung, ASUS, HTC, Sony, and the other big-name competitors in the tablet and phone markets can get away with charg

      • A couple years ago an update merged the navigation volume control into the audio output volume control. Now it is impossible to use the device for navigation and playing music at the same time. The navigation volume is 10% of the music volume and there is no way to change it. There are hundreds of bug reports and google just doesn't care.

        Not that they have ever cared about bug reports on their products. You and I are simply not their customer, in Google's eyes listening to us can only cost them money and no

    • by swillden (191260)

      Are you sure your phone hasn't been patched? My Nexus 7 has, according to https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner [google.com]

    • by greg1104 (461138)

      The last major Android update applied to Nexus phones was 4.2.2, which rolled out [cnet.com] in Februrary. If you haven't gotten an update in six months, something is wrong with your setup. My Nexus phone has also gotten multiple revamps to various Play applications in the last few months, which was most noticeable to me in a complete redesign of the Play Music application. The last update there I know of was a month ago [engadget.com]. I'm not certain what form (if any) the fix for this exploit has been pushed to the phones yet

  • ... android patches YOU!!!!
  • Whilst it's common (and often justified) to have a pop at the carriers for delaying or preventing updates to devices, it's worth pointing out that I've got access to a whole range of Android devices direct from a number of different OEMs and not a single one of them has yet received an OTA update to fix this vulnerability.

    The carriers may still slow down this process, but it's already going slow enough with just the OEMs involved.

  • Thought I'd point out that it's the vertical integration design of Android that has led to this carrier conundrum in which updates and upgrades are forced to go through the carriers, but the carriers are focused on new sales not maintaining old hardware. So the engineering resources they're willing to invest are minimal, leaving users out in the cold.

    This is something that's of interest to me in the design of Firefox OS, which completely separates out the the Linux kernel, and the two layers on top of that

    • by Sockatume (732728)

      I'm not sure what you mean by "vertically integrated" here. Can you elaborate on that?

      • by PhilHibbs (4537)

        It's a standard term. It means that several components in the chain are all controlled by one company. Pretty much all smartphones are vertically integrated - Apple make the iPhone and the OS and control both. Samsung make the Galaxy and also control distribution of the Android software on it. If they also make the components, or just exert close control over the production of them, then it's even more vertically integrated.

      • by caspy7 (117545)

        Sorry if the term was used in a confusing way.
        The idea being communicated was that the different layers of Android (kernel, libraries, Dalvik, etc) are implemented in a way such that they cannot be separately updated. (Probably my understanding of the stack is flawed, I had been thinking that the code was perhaps not cleanly separate in the layers - hence the "vertical integration" idea.)

        Either way, the point stands that Android cannot be updated piecemeal, thereby relying solely on carriers, greatly hurti

Don't sweat it -- it's only ones and zeros. -- P. Skelly

Working...