Slashdot Mirror
Students, Start-Up Team To Create Android 'Master Key' Patch App
chicksdaddy writes "The saga of the application-signing flaw affecting Google's Android mobile phones took another turn Tuesday when a Silicon Valley startup teamed with graduate students from Northeastern University in Boston to offer their own fix-it tool for hundreds of millions of Android phones that have been left without access to Google's official patch. Duo Security announced the availability of an Android utility dubbed 'ReKey' on Tuesday. The tool allows users to patch the so-called 'Master Key' vulnerability on Android devices, even in the absence of a security update from Android handset makers and carriers who service the phones, according to a post on the Duo Security blog. Jon Oberheide, the CTO of Duo Security, said that ReKey provides an in-memory patch for the master key vulnerability, dynamically instrumenting the Dalvik bytecode routines where the vulnerability originates, patching it in-memory. Oberheide said that ReKey will also 'hook' (or monitor) those routines to notify you if any malicious applications attempt to exploit the vulnerability. Despite the availability of a patch since March, many Android users remain vulnerable to attacks that take advantage of the application signing flaw. That is because Android handset makers have been slow to issue updates for their handsets. For platforms (HTC and Samsung) that have been patched, carriers delayed the rollout to customers further. 'The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,' said Oberheide. However, the fragmentation of the Android ecosystem is significant enough that it is no longer feasible for Google to take over responsibility for distributing patches. Third parties may need to step in to fill the void."
A related article makes the case that the release of the Master Key vulnerability started an important conversation within the open source community.
Leaves out 99% of the devices out there.
---- Booth was a patriot ----
yea, i use aokp and i love it. that being said, it isnt google's fault that they cant get the patches out to everyone as soon as they create them. the problem lies with the cell phone distributors who consistently take forever to install all their adware and crapware onto each patch before deployment. it takes at&t over a year to release the operating systems on their phones, whereas a rooted phone can get it instantly.
Looks like a great way for someone to create a fake update and publicize it as a third-party patch. Google needs to make good on do no evil by proactively doing good.
The reviews on the Play store are showing a fairly high possibility of a bootloop. While I'm all for open source and public patches where appropriate, I expect I'll be passing on this one for now.
I'm guessing someone's going to sue them for their efforts. As we've seen time and again, no good deed goes unpunished.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
But, but, if it's no longer feasible for Google to provide patches, how come he says his company, with vastly fewer resources, can do it?
It stands to reason that if Google can't patch your phone because of "fragmentation of the ecosystem," nobody else can either. That makes me not at all anxious to install his patch.
With desktop Windows and Linux, the latest version works on all (powerful enough) computers. Why can't it be this way on Android?
It is that way on Android, you can install vanilla Android from AOSP on just about any device that's powerful enough if the bootloader is not locked by the OEM. Problem - as I understand it - is most devices aren't powerful enough to run the latest version. Of course this is compounded by fragmentation within versions, for every version of Android most OEMs create their own version of that. That is why the Galaxy S didn't get an official ICS update, the official Android versions for it were forked versions of the AOSP versions and these Samsung forks required more RAM and ROM than the Galaxy S had even though the AOSP version of that Android version worked find on it, that is why fragmentation is a problem.
And by you, I mean all you people who don't merely tolerate the behavior of the cellular phone companies, but actually encourage it by giving them silly amounts of money every month.
It's YOUR DEVICE. We've been down this goddamn road before. Nobody remembers Ma Bell? Nobody remembers Ma Bell owning all devices connected to their precious network? Nobody remembers what a debacle that was? How has this been allowed to arise again?
A smartphone is a stupid name for a pocket computer. And apparently, thanks to the cellular companies, it's going to behave just as badly as a desktop computer of yesteryear. It's like every Windows 98 machine ever shipped was connected to the modern internet yesterday. Madness.
And it's all your fault.
This doesn't solve the actual problem in the handset world, especially with android.
That problem?
Closed source binary drivers for novelty features in specific handsets that are incompatible with newer android builds, due to improved/newer linux kernels being in them.
Take for instance, my horribly crippled, antique android device:
SGH-T839 (Sidekick 4G)
This device runs Froyo, and has been officially abandoned by T-mobile and Samsung for almost 2 years now. It has a 1ghz hummingbird cpu, and approx 512mb of ram, of which about 300mb is useable for programs. It has a strange camera driver, to make use of both rear facing and front facing cameras, and a strange hardware keyboard driver.
It is otherwise very similar inside to an older galaxy based device.
The only roms in existence for this device are recooked images of the (bloated as hell) stock rom. There is no CM support. There is no official ICS upgrade, despite it being theoretically possible. Nada. This, despite the complete source for the kernel of the device being GPLed by samsung when they EOLed it, and said sources being publicly available.
The device had a root access ad bootloader unlocker within weeks of release.
This community patch is the only security fix I have been able to apply to this handset in a very long time.
IMHO, better option is to require handset makers to offer at least one major android revision upgrade per device lifecycle.
This device was born froyo, it will eventually die froyo. I would rather it die ICS. Most times, EOLed devices are physically capable of running the next higher android release, but the maker refuses to sink the development money. I would pay 50$ extra or more for having the garantee of getting the next major android release during the product lifespan. The handset makers don't see that their refusal to provide extended support in this fashion hurts their brands, and hurts the device ecosystem. All they see is "the next big thing!" On the horizon.
They don't want to "waste time" with "old, legacy devices" like mine. They are much more interested in selling me a brand new device, that they will EOL in 1 year.
That is because Android handset makers have been slow to issue updates for their handsets.
I have a Google Nexus 4, supposedly gets all the updates right away, first to get new versions of Android, etc. I haven't seen an update since I bought the phone 6+ months ago. Samsung has apparently patched their phones; Google announced a code fix months ago.
What's Google's excuse for not patching my device? No carriers involved, current model, etc.
Please help metamoderate.
It is that way on Android, you can install vanilla Android from AOSP on just about any device that's powerful enough if the bootloader is not locked by the OEM. Problem - as I understand it - is most devices aren't powerful enough to run the latest version.
Most devices require closed source binary blobs to drive much of the hardware. So yes, you can install AOSP on any phone so long as you don't mind not having a working cellular radio, wifi, gps, screen, bluetooth, ...
http://blog.nexusuk.org
Which in turn is Google's fault for designing Android to be sold that way. They deliberately choose not to have control over the fragmentation and issues like this.
RogerWilco the Adventurous Janitor