Almost two-weeks after Bluebox Security announced a
vulnerability in Android's security model that could enable attackers to
convert most Android applications into Trojans, and more than a week after
Google released the fix for it, the vast majority of Android OEMs has yet to
patch the hole. So, Duo Security and Northeastern University's System Security
Lab (NEU SecLab) have released an app, ReKey, which fixes it for you. The two
organizations claim that with ReKey, Android users can immediately protect
their Android phone from Bluebox Security's "Master Key"
vulnerabilities, without waiting on security updates from their mobile carrier.
"ReKey is the latest of our research projects designed
to make the Internet a safer place," said Collin Mulliner, a postdoctoral
researcher at NEU SecLab in a statement. "We hope that ReKey will provide
a practical tool for users to protect themselves and, at the same time, raise
awareness of the challenges in the mobile security space."Jon Oberheide,
CTO of Duo Security, added, "The security of Android devices worldwide is
paralyzed by the slow patching practices of mobile carriers and other parties
in the Android ecosystem."ReKey isn't for everyone though. It will only work
on rooted devices.
In the ReKey FAQ, they explain, "In order to patch the
vulnerabilities on your device, ReKey requires escalated privileges. Normal
unprivileged applications on stock Android devices do not possess such
privileges, hence the need for a rooted device with the Superuser (or similar)
application."
The fix program itself "is based on a dynamic
instrumentation framework for Dalvik bytecode. Both Master Key vulnerabilities
are present in software that is written in Java and is executed in the Dalvik
VM. ReKey injects a small piece of code into the running Android framework. The
code dynamically patches the ZipEntry and ZipFile classes to interpose on the
vulnerable routines and thereby fix the root cause of the bugs. In addition to
fixing the bugs, ReKey installs a warning system that alerts the user when they
attempt to install an APK [Android application package file] that abuses the
vulnerabilities."
In addition, the Bluebox scanner that checks for the
security hole doesn't register the ReKey fix. So even after you install ReKey,
the scanner will still report that your phone has the vulnerability. The ReKey
team claims that Bluebox scanner "does not appear to be accurately
checking whether the vulnerability is actually present or not."
If this makes you wary of ReKey, I can't blame you. That
said, the two organizations have a good reputation and the program currently
has a decent rating of 3.8 on the Google Play Store. So, if you have a rooted
smartphone or tablet and are nervous about their security, you may want to try
ReKey. Users running stock Android on their devices, however, will not be able
to use it.