1. Download our Official Android App: Forums for Android!

Root [Virgin Mobile] [SECURITY] Rekey Releases Patching APK for Master Key Vulnerability

Discussion in 'Android Devices' started by JerryScript, Jul 17, 2013.

  1. JerryScript

    JerryScript Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    2,212
    Joined:
    Mar 15, 2011

    Mar 15, 2011
    2,212
    2,065
    313
    Las Vegas
    You've probably heard about the Master Key vulnerability found recently in almost all versions of Android. If not, basically there is a flaw in the signing methods used to ensure an application has not been modified by third parties. This vulnerability allows a malicious app to elevate it's permissions and install other things in the background, up to and including completely taking over your phone.

    There are two solutions available so far. I have only tested Rekey's app, and it does work on the Victory:
    App to fix MasterKey vulnerability:
    http://play.google.com/store/apps/details?id=io.rekey.rekey

    Info on the MasterKey vulnerability and how Rekey works

    Note- Each time you flash a ROM (custom or stock), you will have to uninstall and re-install the Rekey app again. I will see if it is permissible to package the app in Victorious, and if so I will release a security maintenance update ASAP!

    Note2- If you uninstall, you will need to boot into recovery and wipe cache and dalvik-cache and reboot. Classes contained in core.jar that are changed as a result of the patch will need to be cleared from cache in order to fully uninstall. Android does some of this automatically, it depends on a timed sweep to do it for some files, and virtually ignores other files.

    Update - I am currently not recommending anyone install ReKey unless they suspect they have infected apps on their phone. I've had too many issues with WiFi and 3G today while ReKey was installed. I have uninstalled and restored a backup I made just after installing Victorious-0.1.4, and I no longer have the WiFi/3G issues, so I can only assume they were caused by ReKey (not to mention the other posts in this thread related to WiFi issues). While the Master Key security hole is a huge one, it has not been exploited much to date. So long as you only install from The Play Store, or at least choose to install with Google Verification, you shouldn't have any worries. Once it is possible, I will patch Victorious, and attempt to release a general patch for the Victory.
     

    Advertisement

    tarvoke and buzzcon like this.
  2. buzzcon

    buzzcon Android Enthusiast
    Rank:
    None
    Points:
    98
    Posts:
    541
    Joined:
    May 22, 2012

    May 22, 2012
    541
    90
    98
    Male
    Polish Ambassador
    Duluth, Minnesota
    Works OK for me as well. One thing, the phone restarted right after starting/enabling the app. Not sure if that is normal or not, just thought I would mention it. :)
     
  3. JerryScript

    JerryScript Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    2,212
    Joined:
    Mar 15, 2011

    Mar 15, 2011
    2,212
    2,065
    313
    Las Vegas
    Did the same for me, and with the market reports of bootloops in the first releases, I was worried at first, but it booted up just fine after that first soft-reboot. I imagine it required a soft-reboot to finish installing the patch, typical with patches even on PCs. I've restarted a couple of times since, and everything appears to be working fine.

    Note- I do get the Android is Upgrading popup each time I reboot.
     
  4. tarvoke

    tarvoke Member
    Rank:
    None
    Points:
    16
    Posts:
    63
    Joined:
    Jul 9, 2013

    Jul 9, 2013
    63
    9
    16
    dog barber
    slightly outside america
    the hilarious thing, and by hilarious I mean truly awesome, of course, would be if the rekey apk in the store was already hacked. do we have a sha1 or something for the file?

    "Android is Upgrading" just means, like, something is rebuilding its dalvik cache, right? there was one app that made my OV do that every single time, and I could never figure out why or even which app it was.
     
  5. JerryScript

    JerryScript Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    2,212
    Joined:
    Mar 15, 2011

    Mar 15, 2011
    2,212
    2,065
    313
    Las Vegas
    Yes, so ReKey must be wiping some part of the dalvik-cache either at shutdown or on boot. The main security flaw is in core.jar, so perhaps it wipes there for safety.
     
  6. buzzcon

    buzzcon Android Enthusiast
    Rank:
    None
    Points:
    98
    Posts:
    541
    Joined:
    May 22, 2012

    May 22, 2012
    541
    90
    98
    Male
    Polish Ambassador
    Duluth, Minnesota
    I completely turned off the phone and restarted with no pop up that Android is Updating. I am still running the stock ROM. I do notice that when I restart the phone, I now have to manually turn off WiFi and then turn it on to connect. If I don't turn it off manually, I get the message that my network is out of range and I am 20 feet from my WiFi router.

    It also rebooted after it first started, so not sure if the boot loop is completely fixed.
     
  7. tarvoke

    tarvoke Member
    Rank:
    None
    Points:
    16
    Posts:
    63
    Joined:
    Jul 9, 2013

    Jul 9, 2013
    63
    9
    16
    dog barber
    slightly outside america
    that was the idea percolating in my head, makes a sort of sense.
     
  8. JerryScript

    JerryScript Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    2,212
    Joined:
    Mar 15, 2011

    Mar 15, 2011
    2,212
    2,065
    313
    Las Vegas
    I seem to be having the same issue with wifi after installing ReKey. After a restart, I have to go into airplane mode then turn airplane mode off in order to get wifi to connect, just toggling wifi off/on doesn't do the trick. I'm off to work now, will check logcat later to see what's up. BTW- I do use the connections optimizer, that may have something to do with it.
     
  9. JerryScript

    JerryScript Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    2,212
    Joined:
    Mar 15, 2011

    Mar 15, 2011
    2,212
    2,065
    313
    Las Vegas
    I've continued to have connection issues since installing ReKey. 3G as well as Wi-Fi. I have uninstalled for now.

    BTW- I had to boot into recovery and wipe cache and dalvik-cache to fully uninstall the effects of ReKey, this is one case where the vaccine is less acceptable than the risk of infection IMHO. I wish stock Android had a full fledged un-installer!

    (Note to self- When you build from source for the Victory, fix the uninstaller!)
     

Share This Page

Loading...