A major security loophole was found in Android that will give malicious applications the ability to infect a legitimate app without triggering security alarms. This bug affects most Android devices in the market even the old Android versions, and the fix was only silently patched by Google this February 2013.
If it was fixed, then why bother? It was fixed in the source code or commonly known as AOSP (Android Open Source Project). Unfortunately, manufacturers are slow in releasing fixes, yes, even security related patches. They have a long list of processes to follow and bureaucracy protocols in place. A simple patch can get months before it gets attention or approved – after all, it was only a “simple” fix why prioritize it when there are far more pressing matters to discuss, right?
Fortunately, we do not have to wait for the manufacturer patch. If you have a rooted Android phone, then this is for you. But if you are still not rooted, go read this first: Why You Should (Not) Root Your Android Phone.
These two fixes available also applies to all Android phones with a custom ROM that did not receive an update after the public disclosure of the security loophole early July of 2013. Believe it or not, there are plenty of custom ROMs that have not released a security patch yet. Or if you are lazy to update for whatever reason, then this option is for you as well.
However, if your custom ROM released a security patch after the July 2013 disclosure, then you do not have to worry. I use CyanogenMod 10.1.x, and the CM team released 10.1.1 and 10.1.2 with the patch for the Android security bug #8219321 and #9695860 or commonly known as the “Master Key” vulnerabilities. For earlier CM versions, check the official website for updates. Or again, use the solutions below.
What is this “Master Key” vulnerability?
Earlier this month, RFP from BlueBox published a sneak preview of his upcoming BlackHat talk, detailing a vulnerability in the Android platform that affects nearly all Android devices. Soon after, a vulnerability of similar nature and impact was published on Chinese forum. Both of these “Master Key” vulnerabilities allow an attacker to modify the code of an Android package without affecting the signature of the package as verified by the package manager, which has serious implications when considering system-signed packages. From an end user perspective, the vulnerabilities allow an attacker to take full control of a user’s device.
Option #1: ReKey by NEU and Duo Security
ReKey is the result of an ongoing research collaboration between Northeastern University’s SecLab research group and Duo Security. It is a mobile app for the Android platform that, in essence, takes the upstream patch from Google and deploys it in a safe and non-destructive manner on your device. The end result is that Android users are able to immediately protect their Android phone from the “Master Key” vulnerabilities, without having to wait on security updates from their mobile carrier.
Get it at Google play: ReKey (for rooted phones)
Option #2: Master Key dual fix by Tungstwenty from XDA Developers
The Master Key dual fix app is similar to ReKey, it fixes the two “Master Key” vulnerabilities (bugs #8219321 and #9695860). The only difference is the method of applying the patch. Master key dual fix uses the Xposed Framework method/app, if you have used this great tool then it is better to use Tungstwenty’s Master Key fix.
You do not know what Xposed Framework is and interested to know more about it? You can start by reading my earlier post here.
Get the fix on Google Play: Master Key dual fix.
Get Xposed Framework here: [FRAMEWORK ONLY!] Xposed – ROM modding without modifying APKs, the latest version as of this post is XposedInstaller_2.1.4.
Test If You Are Protected!
Ah, if you think applying either of the fixes is enough, you are highly mistaken. When it comes to security, always make sure that it works by testing it. How? By attempting to exploit the security loophole. Lucky for us, we do not need to find some infected apk file (which is risky if your patch failed) because there are Proof-of-Concept (PoC) apks available.
What I will show you is a PoC from github, in other words, the source code is available for anyone to check if you doubt the apk’s safety. Now if you are of the camp that “open-source” is insecure because people can see the source code, well, go compile it yourself.
Download the PoC apk here: modded.apk. Then just run it to install. Android should give you an error that the application was not installed. Congratulations, you are safe!
If it successfully installed then well, you did something wrong and the patch you used did not work. Uninstall the modded.apk PoC, reapply the patches, reboot, then try to install it again.
You can view the source code or compile your own PoC modded.apk by visiting: the project’s github.
Can I Uninstall Now?
No. If you uninstall it, then you will be vulnerable again. Both options above does not fixed the vulnerability on the source code level of your Android ROM because it is not possible. To get a permanent fix, you have to  wait for your phone manufacturer to release a patch; or  get the update for your custom ROM; or  switch to a better custom ROM that have dedicated developers and are security inclined.
If you use a custom ROM made by an individual – usually unofficial port of ROMs for a different phone model; or a custom ROM of a custom ROM of a custom ROM – then more likely than not you are out-of-luck, better contact your developer and do not uninstall the Master Key app for the time being.
Go tell your Android friends about this security loophole. Share this post to them!
Go back to: myAndroid Hub.
How-to Fix Android’s July 2013 Security Loophole by Yuki is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Permissions beyond the scope of this license may be available at Legal Notice.