View Single Post
Old July 19th, 2013, 08:37 AM   #3 (permalink)
ironass
Senior Member
Thread Author (OP)
 
ironass's Avatar
 
Join Date: Aug 2010
Location: Cotswolds, England
Gender: Male
Posts: 8,745
 
Device(s): SGS5 SM-G900F. Rooted. KitKat 4.4.4. CM11 ROM. Baseband: NJ1. CM kernel+TWRP.
Carrier: Vodafone

Thanks: 1,192
Thanked 3,946 Times in 2,599 Posts
Default

Quote:
Originally Posted by sntaylor View Post
I'm just curious about this article that states the s4 doesn't have to worry?
Making sense of the latest Android 'Master Key' security scare | Android Central
UPDATE

In reality, because the S4's firmware is so new, that certainly the later updates should have the Google patch to fix the bug, 8219321. However, other Android devices that are older and have not received a recent build firmware update, will be at risk.

Since writing post #1, I have uninstalled ReKey and run a test using the newly released, SRT AppScanner, free from the Play Store. This confirmed that on my current firmware, MGA, build date 11 JUL; that there is no vulnerability to the Bluebox bug 8219321 and that ReKey is not required.

However, perhaps just as worryingly, the second, more recent, Master Key bug 9695860, usually referred to as the, "Chinese Master Key bug", has not been patched by Google in this firmware and is not covered by ReKey. This bug, only discovered very recently, is already patched by Google in the very latest versions of code for Android, (commit), but as yet, has not made its way down the chain for release.

There has in the last few days, been a Universal fix released for both the 8219321 and 9695860 bugs but this entails flashing a framework to your phone before applying the Universal Fix.

For more details on this, see Tungstwenty's xda thread, here.

The bottom line is that if you currently want protection from both of these bugs then Dual Fix is the way to go until a firmware for your device is released that patches both vulnerabilities. Which, in the case of older devices, might be never.

Below are 2 screenshots from SRT AppScanner showing that whilst ReKey has indeed patched one bug, the device is still vulnerable to the latest one. The 2nd screenhot shows the device after installing the framework .apk and Dual Fix .apk...

ReKey Fix only




Dual Fix

__________________
Did you know that hitting the Thanks button is quicker than typing it and the Search button is your friend.

Dummies Guides Rooting Galaxy S4 * Know Your S4 * Update Problems * Knox Security * Bloatware * GPS
ironass is offline  
Last edited by ironass; August 16th, 2013 at 01:35 AM. Reason: images added
Reply With Quote
The Following User Says Thank You to ironass For This Useful Post:
sntaylor (July 19th, 2013)