Wednesday 17 July 2013

Third-party app released to fix Bluebox Security Android hole



Almost two-weeks after Bluebox Security announced a vulnerability in Android's security model that could enable attackers to convert most Android applications into Trojans, and more than a week after Google released the fix for it, the vast majority of Android OEMs has yet to patch the hole. So, Duo Security and Northeastern University's System Security Lab (NEU SecLab) have released an app, ReKey, which fixes it for you. The two organizations claim that with ReKey, Android users can immediately protect their Android phone from Bluebox Security's "Master Key" vulnerabilities, without waiting on security updates from their mobile carrier.
"ReKey is the latest of our research projects designed to make the Internet a safer place," said Collin Mulliner, a postdoctoral researcher at NEU SecLab in a statement. "We hope that ReKey will provide a practical tool for users to protect themselves and, at the same time, raise awareness of the challenges in the mobile security space."Jon Oberheide, CTO of Duo Security, added, "The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem."ReKey isn't for everyone though. It will only work on rooted devices.
In the ReKey FAQ, they explain, "In order to patch the vulnerabilities on your device, ReKey requires escalated privileges. Normal unprivileged applications on stock Android devices do not possess such privileges, hence the need for a rooted device with the Superuser (or similar) application."
The fix program itself "is based on a dynamic instrumentation framework for Dalvik bytecode. Both Master Key vulnerabilities are present in software that is written in Java and is executed in the Dalvik VM. ReKey injects a small piece of code into the running Android framework. The code dynamically patches the ZipEntry and ZipFile classes to interpose on the vulnerable routines and thereby fix the root cause of the bugs. In addition to fixing the bugs, ReKey installs a warning system that alerts the user when they attempt to install an APK [Android application package file] that abuses the vulnerabilities."
In addition, the Bluebox scanner that checks for the security hole doesn't register the ReKey fix. So even after you install ReKey, the scanner will still report that your phone has the vulnerability. The ReKey team claims that Bluebox scanner "does not appear to be accurately checking whether the vulnerability is actually present or not."
If this makes you wary of ReKey, I can't blame you. That said, the two organizations have a good reputation and the program currently has a decent rating of 3.8 on the Google Play Store. So, if you have a rooted smartphone or tablet and are nervous about their security, you may want to try ReKey. Users running stock Android on their devices, however, will not be able to use it.