Feeds

back to article Finally, someone's fixed THAT Android hole. Was it your mobe network? No

A new tool attempts to close down the master-key vulnerability in Google Android that allows malicious software to masquerade as legit apps. Free utility ReKey hooks into the underlying operating system to defend fandroids who may be fretting about exactly when an official patch will arrive from their smartphone manufacturer or …

COMMENTS

This topic is closed for new posts.
Boffin

The Android device needs to be rooted

From www.rekey.io :

"In order to patch the vulnerabilities on your device, ReKey requires escalated privileges. Normal unprivileged applications on stock Android devices do not possess such privileges, hence the need for a rooted device with the Superuser (or similar) application."

10
1

Re: The Android device needs to be rooted

They do say that it would be possible to use the vulnerability to patch the vulnerability (rather than via rooting) but prefer not to distribute a working example of an exploit (at the moment).

1
0
JDX
Gold badge

Re: The Android device needs to be rooted

I should hope so (needs to be rooted I mean)... I was about to make a scathing remark that "Free utility ReKey hooks into the underlying operating system" was even possible...

1
0
Silver badge
Meh

One door closes

One door closes and another door opens.

0
0
FAIL

"but only the Samsung Galaxy S4 has been patched to protect against it"

According to the Bluebox's security scanner, my Galaxy Note 2, Galaxy Note 8, and HTC One are also already patched!

2
1

Re: "but only the Samsung Galaxy S4 has been patched to protect against it"

According to the patch website, Bluebox scanner isn't working properly.

0
0

Re: "but only the Samsung Galaxy S4 has been patched to protect against it"

My Galaxy S Advance too.

Presumably with the Jelly Bean update it got in late early June.

1
0
APA

Re: "but only the Samsung Galaxy S4 has been patched to protect against it"

Quick poll of Android devices in the office that are "patched":

Sony Xperia Z

Sony Xperia SP

Samsung Galaxy S III

Something's not right here. The first two are fairly new but the S3 hasn't been patched for ages. Either the statement "only the Samsung Galaxy S4 has been patched" is incorrect, or the scanner's wrong, or not all devices were vulnerable in the first place.

0
0

Re: "but only the Samsung Galaxy S4 has been patched to protect against it"

No - according to the patch website, the Bluebox scanner is failing to detect their patch in some cases, and stating that the phone is still vulnerable when it isn't. i.e. a false negative rather than a false positive.

0
0

Re: "but only the Samsung Galaxy S4 has been patched to protect against it"

Just tried the Bluebox tool on a HTC Desire S and it says unpatched, also tried on a Galaxy Note 2 which it says is patched, the Note 2 did download an update as soon as I unboxed it.

My Galaxy S3 did actually download a small patch from Vodafone quite recently, unfortunately it's being repaired at the moment as I dropped it and am unable to test.

0
0
Anonymous Coward

You know the drill!

Why are these articles always about MS? Give yourself a shake and stop using MS products....

(It's pithier but still as stupid!!! win win!!)

1
6
Stop

Please stop referring to it as 'master key'. The key is fine - there's just a hole in the door.

1
0
FAIL

It would also appear

that ReKey is having problems and causing some devices to enter a boot-loop. They say it's fixed in the latest version, but "non-destructive"? a boot-loop you can't get out of is a major implementation flaw, and almost as good as bricking your device.

I'll be waiting for a few more positive reviews before I take the plunge, personally.

2
0
Anonymous Coward

You know what is coming next.

Lots of fake versions of this tool posted in forums by devious buggers.

4
0
Alert

While I have no doubt that ReKey is genuine, it does request "full network access" and attempts to phone home on installation, without saying why or asking permission. Not good practice.

9
1
Silver badge
Thumb Down

Not good practice.

Maybe not, but very common....

0
0

@Steve Graham 12:28

It doesn't matter what permissions it asks for. When you give it root access it can do anything it wants.

1
0
Holmes

If you are rooted, which is required for ReKey, what stops you from using a firewall app like droidwall to prevent that network access?

0
0
Silver badge

The fact that it can just disable the firewall with a root shell. Even system apps are vulnerable to a root shell. That's why SU apps prompt you before they're given the OK. It's all up to you to make sure what you're allowing does what it's supposed to do because once they get the shell, it's all "caveat utilitor".

0
0
Anonymous Coward

vulnerable to whom? in whom can we really and honestly trust?

as it is reported, all Android powered devices are OPEN to the world without the patch.

can we really complain about a 'fix' that 'takes root and/or superuser privileges' in order to close the security flaw?

which is the lesser evil, 'devious gov's, individuals, institutions, mobile phone carriers' placing malware on your device via this flaw or 'some basic trust' in a well meaning security group, that yes could be hacked themselves to produce a product or backdor?

bit like your front door lock being broken. do you:

a) close the door hoping no-one will try and get in?

b) trust that the person who replaced the lock didn't sell a spare key to one of his mates?

1
3
Anonymous Coward

Re: vulnerable to whom? in whom can we really and honestly trust?

I think you're miss understanding. The front door isn't open as you must first install a dodgy application for it to gain access to your system. This is more akin to your safe door being open and you then opening your front door and inviting a burglar in.

0
0

Who do you believe?

Bluebox scanner says my Galaxy S2 is patched, but I find this very unlikely.

0
0
Go

Re: Who do you believe?

Try installing the proof of concept APK on the ReKey website via ADB.

I tried on my devices which the Bluebox security scanners reports as patched and it failed - which is the correct behaviour for a patched device.

0
0

Genuine question

Have I misunderstood this vulnerability or is it:

- Hacker could take Facebook/Twitter/etc. APK.

- Add malicious code into it.

- Distribute the app (via 3rd party sites unless they have access to the companies Google Play login) and it would be installed as a valid update to your already installed Facebook/Twitter/etc. apps.

But if you could get people to install your app from a non-Google Play source, couldn't you just as easily have them install any app that's labelled as Facebook/Twitter/etc. and just have the app open a web view or crash on startup (once you've done whatever you wanted to)?

So what's the real vulnerability to end users? Not suggesting it shouldn't be fixed, but how does this make it easier to infect a phone?

1
0
Bronze badge

Finally? Cyanogenmod fixed it last week:

https://github.com/CyanogenMod/android_libcore/commit/f96064dfa4191cf58a7d96326002fc6e3423a123

1
0

Do not get this app

Go get the Bluebox Security App which will tell you if your Android OS passes the test. ReKey gets it wrong and supposedly will patch a flaw that is already patched in 4.2.2

0
0
Alert

Not all of us want to root our devices due to warranty issues! So are we left stranded?

0
0
This topic is closed for new posts.