1. Download our Official Android App: Forums for Android!

Mods Master Key, Bluebox, root fix [Root only]

Discussion in 'Android Development' started by ironass, Jul 17, 2013.

  1. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #18
    Points:
    1,343
    Posts:
    11,624
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,624
    5,837
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    (UPDATE See post #4)


    Earlier last month, RFP from BlueBox published a sneak preview of his upcoming BlackHat talk, detailing a vulnerability in the Android platform that affects nearly all Android devices. Soon after, a vulnerability of similar nature and impact was published on Chinese forum. Both of these "Master Key" vulnerabilities allow an attacker to modify the code of an Android package without affecting the signature of the package as verified by the package manager, which has serious implications when considering system-signed packages. From an end user perspective, the vulnerabilities allow an attacker to take full control of a user's device.

    Google will be issuing a fix for this in their newer releases of Android firmware. However, these fixes will take time to filter down the food chain from Google to carriers to users... if indeed, a firmware update is even issued for older devices that are now past End of Life, since this vulnerability affects 99% of all Android devices going back to Android 1.6, Donut.

    Not wishing to take a chance, I have installed an app, free from the Play Store, which is the result of a research collaboration between Duo Security, a cloud-based two-factor authentication and mobile security company, and Northeastern University's System Security Lab (NEU SecLab) and patches the, "Master Key", vulnerabilities on rooted devices.

    The patch is not phone, device or firmware specific... you can whack it on any Android device that is rooted. Once activated it patches the device but should you flash a different firmware you will need to patch it again.

    The app is ReKey and can be downloaded from the Play Store

    Download

    Source

    [​IMG]
     

    Advertisement

    wetbiker7, Chief YYZ, Doc and 15 others like this.
  2. Shotgun84

    Shotgun84 Extreme Android User
    Rank:
     #40
    Points:
    483
    Posts:
    6,322
    Joined:
    May 30, 2011

    May 30, 2011
    6,322
    4,269
    483
    Whatever he said.
    Cambridgeshire, England
    Ironass to the rescue again. Nice one mate:thumb:
     
    Doc, ironass and dustwun77 like this.
  3. EarlyMon

    EarlyMon The PearlyMon
    VIP Member
    Rank:
    None
    Points:
    5,218
    Posts:
    57,591
    Joined:
    Jun 10, 2010

    Jun 10, 2010
    57,591
    70,376
    5,218
    New Mexico, USA
    Definitely, thanks compadre! :)
     
    Doc, ironass and dustwun77 like this.
  4. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #18
    Points:
    1,343
    Posts:
    11,624
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,624
    5,837
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    UPDATE

    Since writing post #1, I have uninstalled ReKey on my Samsung Galaxy S4, i9505, and run a test using the newly released, SRT AppScanner, free from the Play Store. This confirmed that on my current firmware, MGA, build date 11 JUL; that there is no vulnerability to the Bluebox bug 8219321 and that ReKey is not required.

    However, other Android devices that are older and have not received a recent build firmware update, will be at risk

    Perhaps just as worryingly, a second, more recent Master Key bug 9695860, usually referred to as the, "Chinese Master Key bug", has not been patched by Google in this firmware and is not covered by ReKey. This bug, only discovered very recently, is already patched by Google in the very latest versions of code for Android, (commit), but as yet, has not made its way down the chain for release.

    There has in the last few days, been a Universal fix released for both the 8219321 and 9695860 bugs but this entails flashing a framework to your device before applying the Universal Fix.

    For more details on this, see Tungstwenty's xda thread, here.

    The bottom line is that if you currently want protection from both of these bugs then Dual Fix is the way to go until a firmware for your device is released that patches both vulnerabilities. Which, in the case of older devices, might be never.

    Below are 2 screenshots from SRT AppScanner showing that whilst ReKey has indeed patched one bug, the device is still vulnerable to the latest one. The 2nd screenhot shows the device after installing the framework .apk and Dual Fix .apk...

    ReKey Fix only

    [​IMG]


    Dual Fix

    [​IMG]

    FYI... I am given to understand that CM10.1.2 has both fixes already installed.
     
    EarlyMon, greg schmeg, Doc and 2 others like this.
  5. Brian706

    Brian706 I like turtles!
    Moderator
    Rank:
     #21
    Points:
    1,053
    Posts:
    9,433
    Joined:
    Jul 25, 2012

    Jul 25, 2012
    9,433
    8,791
    1,053
    Drafter
    Dual fix works like a charm! Thanks for the update!
     
    ironass likes this.
  6. Doc

    Doc Android Expert
    Rank:
    None
    Points:
    313
    Posts:
    1,784
    Joined:
    Aug 4, 2012

    Aug 4, 2012
    1,784
    1,462
    313
    Male
    IT Infrastructure Operations
    Portland OR
    Cool thank you sir.............:D
     
  7. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #18
    Points:
    1,343
    Posts:
    11,624
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,624
    5,837
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    Thank you Brian706 for copying my post here.

    I really did not know where to put it as the fix applies to all Android devices on 4.* upwards and, "may", even work on GB and earlier versions.

    Having said that, it is a bit daunting being thanked by so many Mods and Guides... the last time I was surrounded by this many I was on the verge of an infraction I think!!! :pound:
     
    Brian706, EarlyMon and Doc like this.
  8. EarlyMon

    EarlyMon The PearlyMon
    VIP Member
    Rank:
    None
    Points:
    5,218
    Posts:
    57,591
    Joined:
    Jun 10, 2010

    Jun 10, 2010
    57,591
    70,376
    5,218
    New Mexico, USA
    Dang! Changing the framework will break some things in my rom. :(

    Oh well. :eek:
     
  9. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #18
    Points:
    1,343
    Posts:
    11,624
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,624
    5,837
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    Brian706 and EarlyMon like this.
  10. Brian706

    Brian706 I like turtles!
    Moderator
    Rank:
     #21
    Points:
    1,053
    Posts:
    9,433
    Joined:
    Jul 25, 2012

    Jul 25, 2012
    9,433
    8,791
    1,053
    Drafter
    :D Ya know, we are members too! We're all here to learn, to help and to have fun just like everybody else.
     
    EarlyMon likes this.
  11. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #18
    Points:
    1,343
    Posts:
    11,624
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,624
    5,837
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    It would appear that cyber criminals are not slow to catch on to the Android Master Key exploits and more examples are cropping up...

    More Exploits for Android 'MasterKey' Vulnerability Turn Up in the Wild

    Researchers find trojanized banking app that exploits critical Android bug

    The chances are that if you have received a firmware update for your device in the last 3 or 4 months, it will have a fix for 1 of the 2 identified exploits, Bug #8219321, but not the Bug #9695860 which Android has also issued a patch for but, as yet, has not made its way to any firmware releases yet.

    You can check to see which of the Bugs you are vulnerable to by installing and running SRT AppScanner, free from the Google Play Store.

    App developers are also starting to take these exploits seriously...

    Android Flaw Puts Bitcoin Wallet Apps at Risk of Theft

    Some degree of protection is offered by only using the Google Play Store and ensuring that installing apps from, "Unknown sources", is deselected on your device. Antivirus software will not prevent the Master Key exploits and may, or may not, detect them after installation.

    You should also ensure that you have the very latest firmware installed for your device.

    In the meantime, for rooted users, there is the fix mentioned earlier.
     

Share This Page

Loading...