1. Download our Official Android App: Forums for Android!

Andriod Security Patch

Discussion in 'Android Devices' started by Doc, Jul 21, 2013.

  1. Doc

    Doc Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    1,784
    Joined:
    Aug 4, 2012

    Aug 4, 2012
    1,784
    1,462
    313
    Male
    IT Infrastructure Operations
    Portland OR

    Advertisement

  2. greg schmeg

    greg schmeg Guest
    Rank:
    None
    Points:
    93
    Posts:
    531
    Joined:
    Oct 8, 2012

    Oct 8, 2012
    531
    157
    93
    Male
    Orlando FL
    In the first update post in OP, he gives a link in play store for app that detects whether or not ur ROM has these bugs. I downloaded it and it listed the two known bugs. I'm on blu Kuban. I'm gonna download the app that supposedly fixes these bugs and report back. Thx doc. Interesting.
     
    Doc likes this.
  3. Doc

    Doc Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    1,784
    Joined:
    Aug 4, 2012

    Aug 4, 2012
    1,784
    1,462
    313
    Male
    IT Infrastructure Operations
    Portland OR
    The only trick is after you install xposed, you will have to check the master key in the module and then reboot your phone....
     
  4. greg schmeg

    greg schmeg Guest
    Rank:
    None
    Points:
    93
    Posts:
    531
    Joined:
    Oct 8, 2012

    Oct 8, 2012
    531
    157
    93
    Male
    Orlando FL
    Doc, did u do the dual fix one that you run thru xposed? Or did u find on your ROM that they were already patched? Or did you just fix the one with the play store app?

    What does this all mean for the average user? Rooted or not? Will there be malware developed to exploit these vulnerabilities?
     
  5. Doc

    Doc Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    1,784
    Joined:
    Aug 4, 2012

    Aug 4, 2012
    1,784
    1,462
    313
    Male
    IT Infrastructure Operations
    Portland OR
    As with any OS android, windows, mac theres always a chance of vulnerabilities, all you can do is keep them updated, that's the reason I posted up this thread.....:)
     
  6. i4cbj45

    i4cbj45 Well-Known Member
    Rank:
    None
    Points:
    36
    Posts:
    106
    Joined:
    Jan 6, 2012

    Jan 6, 2012
    106
    6
    36
    Male
    LTO
    I read on google+ that this " bug " is not a MAJOR threat to security. And that it only really exists to the ummm... " uneducated " users who will agree to ANY permissions when installing apps and such on their devices.
     
  7. Doc

    Doc Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    1,784
    Joined:
    Aug 4, 2012

    Aug 4, 2012
    1,784
    1,462
    313
    Male
    IT Infrastructure Operations
    Portland OR
    "Earlier last month, RFP from BlueBox published a sneak preview of his upcoming BlackHat talk, detailing a vulnerability in the Android platform that affects nearly all Android devices. Soon after, a vulnerability of similar nature and impact was published on Chinese forum. Both of these "Master Key" vulnerabilities allow an attacker to modify the code of an Android package without affecting the signature of the package as verified by the package manager, which has serious implications when considering system-signed packages. From an end user perspective, the vulnerabilities allow an attacker to take full control of a user's device.

    Google will be issuing a fix for this in their newer releases of Android firmware. However, these fixes will take time to filter down the food chain from Google to carriers to users... if indeed, a firmware update is even issued for older devices that are now past End of Life, since this vulnerability affects 99% of all Android devices going back to Android 1.6, Donut.

    Not wishing to take a chance, I have installed an app, free from the Play Store, which is the result of a research collaboration between Duo Security, a cloud-based two-factor authentication and mobile security company, and Northeastern University's System Security Lab (NEU SecLab) and patches the, "Master Key", vulnerabilities on rooted devices.

    The patch is not phone, device or firmware specific... you can whack it on any Android device that is rooted. Once activated it patches the device but should you flash a different firmware you will need to patch it again"

    Don't know about you but im not going to take that chance.....
     
  8. greg schmeg

    greg schmeg Guest
    Rank:
    None
    Points:
    93
    Posts:
    531
    Joined:
    Oct 8, 2012

    Oct 8, 2012
    531
    157
    93
    Male
    Orlando FL
    Honestly though, how big is the threat of leaving it alone I wonder?
     
  9. Doc

    Doc Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    1,784
    Joined:
    Aug 4, 2012

    Aug 4, 2012
    1,784
    1,462
    313
    Male
    IT Infrastructure Operations
    Portland OR
    Well who knows, personally I would be on the side of caution and beings that I deal with this kinda of security issues at work everyday, I would rather be safe than sorry but again that's my personal preference. I just posted up for everyones information and everyone can make there own decision....:)
     
  10. Codegerm

    Codegerm Android Expert
    Rank:
    None
    Points:
    413
    Posts:
    3,753
    Joined:
    Jul 13, 2011

    Jul 13, 2011
    3,753
    1,266
    413
    Male
    Commercial service Technician for ADT
    Gainesville, FL
    Here is more info on it for anyone interested. They have found 2 apps that use this bug, although not for malicious purposes

    Apps exploiting Android
     
    greg schmeg and Doc like this.
  11. greg schmeg

    greg schmeg Guest
    Rank:
    None
    Points:
    93
    Posts:
    531
    Joined:
    Oct 8, 2012

    Oct 8, 2012
    531
    157
    93
    Male
    Orlando FL
    You guys are on top of it
     
    Doc likes this.
  12. greg schmeg

    greg schmeg Guest
    Rank:
    None
    Points:
    93
    Posts:
    531
    Joined:
    Oct 8, 2012

    Oct 8, 2012
    531
    157
    93
    Male
    Orlando FL
    Success.
     

    Attached Files:

    Doc likes this.
  13. Codegerm

    Codegerm Android Expert
    Rank:
    None
    Points:
    413
    Posts:
    3,753
    Joined:
    Jul 13, 2011

    Jul 13, 2011
    3,753
    1,266
    413
    Male
    Commercial service Technician for ADT
    Gainesville, FL
    I tested the patch using the pirates island mahjong free app (one of the apps listed to have this exploit). Without the patch the app will install fine. I then removed it. After installing the patch, the app will not install with the error of "Package file not signed correctly"
     
    Doc and greg schmeg like this.
  14. Codegerm

    Codegerm Android Expert
    Rank:
    None
    Points:
    413
    Posts:
    3,753
    Joined:
    Jul 13, 2011

    Jul 13, 2011
    3,753
    1,266
    413
    Male
    Commercial service Technician for ADT
    Gainesville, FL
    May have run into a bug. With the patch installed I went to update an app and the phone rebooted in the middle of it. I restarted the update and it went through. This is the only change i have made to my system so i am fairly sure it has something to do with it. I am doing a little more testing, I generally don't like sudden reboots ad data being written at the time can be corrupted.
     
  15. Doc

    Doc Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    1,784
    Joined:
    Aug 4, 2012

    Aug 4, 2012
    1,784
    1,462
    313
    Male
    IT Infrastructure Operations
    Portland OR
    Interesting, i havent had that happen to mine, thanks for letting us know.....
     
  16. Codegerm

    Codegerm Android Expert
    Rank:
    None
    Points:
    413
    Posts:
    3,753
    Joined:
    Jul 13, 2011

    Jul 13, 2011
    3,753
    1,266
    413
    Male
    Commercial service Technician for ADT
    Gainesville, FL
    Okay have done some more testing and found that you don't need the ReKey app at all. Your Protection can be established with just the Xposed framework and the master key dual fix module. I tested with that affected mahjong app and it won't install with the xposed framework and dual fix module installed and running, and the SRT Appscanner reports protected.
     
  17. Doc

    Doc Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    1,784
    Joined:
    Aug 4, 2012

    Aug 4, 2012
    1,784
    1,462
    313
    Male
    IT Infrastructure Operations
    Portland OR
    Thank you sir............:D
     
  18. bilgerryan

    bilgerryan Android Enthusiast
    Rank:
    None
    Points:
    88
    Posts:
    312
    Joined:
    May 29, 2013

    May 29, 2013
    312
    388
    88
    Just to clarify, Xperia Z 4.2.2 and TouchWiz 4.1.2+ already have the fix... So if you are running TouchWiz JB you do not need to worry about this vulnerability. (It does say this in the XDA thread if you don't believe me)
     
    Doc likes this.
  19. Doc

    Doc Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    1,784
    Joined:
    Aug 4, 2012

    Aug 4, 2012
    1,784
    1,462
    313
    Male
    IT Infrastructure Operations
    Portland OR
    I said it before and I'm going to say it again, you be the man sir;)
     
    bilgerryan likes this.
  20. steveokinevo

    steveokinevo Well-Known Member
    Rank:
    None
    Points:
    38
    Posts:
    158
    Joined:
    Jan 14, 2013

    Jan 14, 2013
    158
    20
    38
    After applying all these things and its correctly done, which apps can be removed after this whole process?
     
  21. greg schmeg

    greg schmeg Guest
    Rank:
    None
    Points:
    93
    Posts:
    531
    Joined:
    Oct 8, 2012

    Oct 8, 2012
    531
    157
    93
    Male
    Orlando FL
    I'm on touch wiz 4.1.2 blu Kuban gb27 and my test said I was vulnerable until I did the dual fix
     
    Doc likes this.
  22. Codegerm

    Codegerm Android Expert
    Rank:
    None
    Points:
    413
    Posts:
    3,753
    Joined:
    Jul 13, 2011

    Jul 13, 2011
    3,753
    1,266
    413
    Male
    Commercial service Technician for ADT
    Gainesville, FL
    Mind passing me the link to that XDA thread? The scanner apps report the bug present and I am on TW 4.1.2.
     
  23. bilgerryan

    bilgerryan Android Enthusiast
    Rank:
    None
    Points:
    88
    Posts:
    312
    Joined:
    May 29, 2013

    May 29, 2013
    312
    388
    88
    greg schmeg and Codegerm like this.
  24. Codegerm

    Codegerm Android Expert
    Rank:
    None
    Points:
    413
    Posts:
    3,753
    Joined:
    Jul 13, 2011

    Jul 13, 2011
    3,753
    1,266
    413
    Male
    Commercial service Technician for ADT
    Gainesville, FL
    True enough with all the different flavors of the S2 out there. Usually it is the international version that gets things first.
     
    greg schmeg, Doc and bilgerryan like this.

Share This Page

Loading...