Students, Start-Up Team To Create Android 'Master Key' Patch App 87
chicksdaddy writes "The saga of the application-signing flaw affecting Google's Android mobile phones took another turn Tuesday when a Silicon Valley startup teamed with graduate students from Northeastern University in Boston to offer their own fix-it tool for hundreds of millions of Android phones that have been left without access to Google's official patch. Duo Security announced the availability of an Android utility dubbed 'ReKey' on Tuesday. The tool allows users to patch the so-called 'Master Key' vulnerability on Android devices, even in the absence of a security update from Android handset makers and carriers who service the phones, according to a post on the Duo Security blog. Jon Oberheide, the CTO of Duo Security, said that ReKey provides an in-memory patch for the master key vulnerability, dynamically instrumenting the Dalvik bytecode routines where the vulnerability originates, patching it in-memory. Oberheide said that ReKey will also 'hook' (or monitor) those routines to notify you if any malicious applications attempt to exploit the vulnerability. Despite the availability of a patch since March, many Android users remain vulnerable to attacks that take advantage of the application signing flaw. That is because Android handset makers have been slow to issue updates for their handsets. For platforms (HTC and Samsung) that have been patched, carriers delayed the rollout to customers further. 'The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,' said Oberheide. However, the fragmentation of the Android ecosystem is significant enough that it is no longer feasible for Google to take over responsibility for distributing patches. Third parties may need to step in to fill the void."
A related article makes the case that the release of the Master Key vulnerability started an important conversation within the open source community.
Rooted Only (Score:5, Insightful)
Leaves out 99% of the devices out there.
Both sides of his mouth (Score:4, Insightful)
But, but, if it's no longer feasible for Google to provide patches, how come he says his company, with vastly fewer resources, can do it?
It stands to reason that if Google can't patch your phone because of "fragmentation of the ecosystem," nobody else can either. That makes me not at all anxious to install his patch.
Re:Rooted Only (Score:0, Insightful)
face it android is a fail. we'll have 1 billion legacy insecure devices. it will be like windows XP all over again.
What's Google's excuse for not patching the N4? (Score:4, Insightful)
That is because Android handset makers have been slow to issue updates for their handsets.
I have a Google Nexus 4, supposedly gets all the updates right away, first to get new versions of Android, etc. I haven't seen an update since I bought the phone 6+ months ago. Samsung has apparently patched their phones; Google announced a code fix months ago.
What's Google's excuse for not patching my device? No carriers involved, current model, etc.