JerryScript
Android Expert
You've probably heard about the Master Key vulnerability found recently in almost all versions of Android. If not, basically there is a flaw in the signing methods used to ensure an application has not been modified by third parties. This vulnerability allows a malicious app to elevate it's permissions and install other things in the background, up to and including completely taking over your phone.
There are two solutions available so far. I have only tested Rekey's app, and it does work on the Victory:
App to fix MasterKey vulnerability:
http://play.google.com/store/apps/details?id=io.rekey.rekey
Info on the MasterKey vulnerability and how Rekey works
Note- Each time you flash a ROM (custom or stock), you will have to uninstall and re-install the Rekey app again. I will see if it is permissible to package the app in Victorious, and if so I will release a security maintenance update ASAP!
Note2- If you uninstall, you will need to boot into recovery and wipe cache and dalvik-cache and reboot. Classes contained in core.jar that are changed as a result of the patch will need to be cleared from cache in order to fully uninstall. Android does some of this automatically, it depends on a timed sweep to do it for some files, and virtually ignores other files.
Update - I am currently not recommending anyone install ReKey unless they suspect they have infected apps on their phone. I've had too many issues with WiFi and 3G today while ReKey was installed. I have uninstalled and restored a backup I made just after installing Victorious-0.1.4, and I no longer have the WiFi/3G issues, so I can only assume they were caused by ReKey (not to mention the other posts in this thread related to WiFi issues). While the Master Key security hole is a huge one, it has not been exploited much to date. So long as you only install from The Play Store, or at least choose to install with Google Verification, you shouldn't have any worries. Once it is possible, I will patch Victorious, and attempt to release a general patch for the Victory.
There are two solutions available so far. I have only tested Rekey's app, and it does work on the Victory:
App to fix MasterKey vulnerability:
http://play.google.com/store/apps/details?id=io.rekey.rekey
Info on the MasterKey vulnerability and how Rekey works
Note- Each time you flash a ROM (custom or stock), you will have to uninstall and re-install the Rekey app again. I will see if it is permissible to package the app in Victorious, and if so I will release a security maintenance update ASAP!
Note2- If you uninstall, you will need to boot into recovery and wipe cache and dalvik-cache and reboot. Classes contained in core.jar that are changed as a result of the patch will need to be cleared from cache in order to fully uninstall. Android does some of this automatically, it depends on a timed sweep to do it for some files, and virtually ignores other files.
Update - I am currently not recommending anyone install ReKey unless they suspect they have infected apps on their phone. I've had too many issues with WiFi and 3G today while ReKey was installed. I have uninstalled and restored a backup I made just after installing Victorious-0.1.4, and I no longer have the WiFi/3G issues, so I can only assume they were caused by ReKey (not to mention the other posts in this thread related to WiFi issues). While the Master Key security hole is a huge one, it has not been exploited much to date. So long as you only install from The Play Store, or at least choose to install with Google Verification, you shouldn't have any worries. Once it is possible, I will patch Victorious, and attempt to release a general patch for the Victory.
