Android Flaw Patching App Works for Jailbroken Phones
Duo Security and Northeastern University released a patch application for phones affected by the "master key" vulnerability. But only jailbroken phones can currently run the app.Security researchers from mobile-protection firm Duo Security and the System Security Lab at Northeastern University have produced a program to patch a major flaw in Android phones. But there's a significant catch: Only phones that have already been hacked can currently apply the fix. The program, known as ReKey, allows users to protect their Android smartphone or tablet by modifying the two vulnerable functions to fix the flaw. Any malicious app that attempts to exploit the master-key issue will not only fail to compromise the phone, but will cause the ReKey program to warn the user. Northeastern and Duo have been collaborating on the third-party patching technology for patching Android phones for about a year, according to Jon Oberheide, co-founder and chief technology officer of mobile-protection provider Duo Security. While the two teams could exploit the vulnerability to install their software and patch any phone, they are leery of doing so, he said. "We are a little cautious about releasing a weaponized exploit for this particular vulnerability, because there hasn't been any public proof of concepts, so we would not want to give attackers a working exploit," Oberheide said.
Fixing flaws in the Android mobile operating system is a slow process because multiple companies have to take part in the process. The Android development community fixes the vulnerability, an update version of the software is distributed by Google, the device manufacturers have to update their firmware and then the carriers have to test the update to make sure it does not impact their cellular network.