Students, Start-Up Team To Create Android 'Master Key' Patch App

chicksdaddy writes "The saga of the application-signing flaw affecting Google's Android mobile phones took another turn Tuesday when a Silicon Valley startup teamed with graduate students from Northeastern University in Boston to offer their own fix-it tool for hundreds of millions of Android phones that have been left without access to Google's official patch. Duo Security announced the availability of an Android utility dubbed 'ReKey' on Tuesday. The tool allows users to patch the so-called 'Master Key' vulnerability on Android devices, even in the absence of a security update from Android handset makers and carriers who service the phones, according to a post on the Duo Security blog. Jon Oberheide, the CTO of Duo Security, said that ReKey provides an in-memory patch for the master key vulnerability, dynamically instrumenting the Dalvik bytecode routines where the vulnerability originates, patching it in-memory. Oberheide said that ReKey will also 'hook' (or monitor) those routines to notify you if any malicious applications attempt to exploit the vulnerability. Despite the availability of a patch since March, many Android users remain vulnerable to attacks that take advantage of the application signing flaw. That is because Android handset makers have been slow to issue updates for their handsets. For platforms (HTC and Samsung) that have been patched, carriers delayed the rollout to customers further. 'The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,' said Oberheide. However, the fragmentation of the Android ecosystem is significant enough that it is no longer feasible for Google to take over responsibility for distributing patches. Third parties may need to step in to fill the void." A related article makes the case that the release of the Master Key vulnerability started an important conversation within the open source community.

Another attack vector

[derfla8]

Looks like a great way for someone to create a fake update and publicize it as a third-party patch. Google needs to make good on do no evil by proactively doing good.

Odds Are

[Greyfox]

I'm guessing someone's going to sue them for their efforts. As we've seen time and again, no good deed goes unpunished.

Re:Rooted Only

[hairyfeet]

Exactly, you can say a lot of shit about MSFT but the length of support is just incredible. Compare this with Android where many of the devices being sold today will NEVER get a patch or update, hell go to Walmart.com and look under Android to see how many 2.x devices they are selling RIGHT NOW and you just know those devices are never gonna see this patch or any other patch for that matter.

Like it or not, and personally i think Google made a pretty slick OS, but Android is by far the most fragmented and least supported of the mobile OSes. If guys want to know what a downside to FOSS is here ya go, because Google can't control the code they can't make the OEMs go with the safer latest and greatest, nor patch older versions, hell Google can't even get them to stop putting out 2.x devices.