ആന്‍ഡ്രോയ്ഡ് ആപ്പുകള്‍ ഹൈജാക്ക് ചെയ്യപ്പെടുന്നു

99% ആന്‍ഡ്രോയ്ഡ് ഡിവൈസുകളിലും ഈ സുരക്ഷാ പാളിച്ച ഉണ്ടായിരുന്നു എന്ന് പറയുമ്പോള്‍ ഇത് എത്രത്തോളം അപകടകരമായിരുന്നു എന്ന് പറയേണ്ടതില്ലല്ലോ

സാന്‍ഫ്രാന്‍സിസ്കോ ആസ്ഥാനമായി പ്രവര്‍ത്തിക്കുന്ന BlueBox Security ആണ് ആന്‍ഡ്രോയ്ഡിലെ ഈ വിള്ളല്‍ ആദ്യമായി കണ്ടു പിടിച്ചത്. അവരിതിനെ Android Master Key Flaw (Master Key vulnerability) എന്നാണ് വിശേഷിപ്പിച്ചത്.

 Android Version 1.6  മുതല്‍ക്കേ ഇത് നിലവിലുണ്ട്. ഇതിലൂടെയുള്ള അറ്റാക്ക് ആപ്ലിക്കേഷന്‍റെ Digital Signature നു (എല്ലാ ആന്‍ഡ്രോയ്ഡ് ആപ്പുകള്‍ക്കും അതിന്‍റേതായ cryptographic signatures ഉണ്ട്. ഇവ ആപ്പുകളില്‍ മാറ്റം വരുത്തുന്നത് തടയുന്നു) മാറ്റം ഉണ്ടാക്കാതെ ചെയ്യാം എന്നതാണ് ഏറ്റവും വലിയ സവിശേഷത. അതായത് ഒരു ഡിവൈസ് അറ്റാക്ക് ചെയ്യപ്പെട്ടിട്ടുണ്ടോ എന്ന് കണ്ടുപിടിക്കുക വളരെ ശ്രമകരം തന്നെ..

So, bugs happen. Sometimes really bad bugs happen. Most of the time these really bad bugs like the ones discovered get patched and deployed to users quickly. In this case, the vulnerabilities were both patched quickly in the Android Open Source Project (AOSP) by Google. Unfortunately, due to the way updates are handled in the Android software ecosystem, the responsibility falls upon the OEMs and carriers to take the upstream AOSP fixes and deploy them to users. Indeed, there is often a period of months and sometimes years where Android vulnerabilities go unpatched since carriers are notoriously slow in rolling out security patches to their users.

How does ReKey work?

ReKey is based on a dynamic instrumentation framework for Dalvik bytecode. Both "Master Key" vulnerabilities are present in software that is written in Java and is executed in the Dalvik VM. ReKey injects a small piece of code into the running Android framework. The code dynamically patches the ZipEntry and ZipFile classes to interpose on the vulnerable routines and thereby fix the root cause of the bugs. In addition to fixing the bugs, ReKey installs a warning system that alerts the user when they attempt to install an APK that abuses the vulnerabilities.

Why does my device need to be rooted?

In order to patch the vulnerabilities on your device, ReKey requires escalated privileges. Normal unprivileged applications on stock Android devices do not possess such privileges, hence the need for a rooted device with the Superuser (or similar) application.

Wow, that sounds lame, huh? Well, to make things more interesting, it is technically possible for the ReKey app to exploit the unpatched vulnerability in order to gain the privileges needed to patch that vulnerability. However, distributing a reliable exploit that could be re-used by malicious parties may not be in the best interest of public safety. That being said, if a weaponized exploit was observed being used publicly in the wild for nefarious purposes, that would "change our calculus" or whatever the phrase is these days. Stay tuned.

Why aren't the "Master Key" vulnerabilities patched?

Good question! The short answer is that mobile carriers are slow and conservative when supplying security patches (and Android updates in general) to their users. The end result is that users and their devices are left exposed to public vulnerabilities for months or even years.

The longer answer is the subject of our DARPA-funded X-Ray project. The software underlying a modern mobile device is controlled by many parties. Google may be in charge of the base Android Open Source Project, but a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third-parties, not to mention all the open source components (Linux kernel, WebKit, libraries) owned by various project maintainers. When a vulnerability is discovered, coordinating with the responsible parties isn't a trivial task. You'd probably lose if you tried to play Six Degrees of Separation with the developer who introduced the vulnerability, and the party who's responsible for patching it.

Long story short: users don't receive critical security updates in a timely fashion. Bad things result.

Why are the "Master Key" vulnerabilities dangerous?

If your device is vulnerable to one of the "Master Key" security flaws that were recently disclosed, a malicious attacker may exploit the vulnerabilities to gain full, unrestricted control over your Android device. While the apps you install from the Google Play store are normally restricted by the permissions you grant them and constrained by the Android sandbox, these vulnerabilities allow a malicious application to escalate privileges and perform any action they desire without you knowing.

Can I trust ReKey with root access on my device?

Did you see those seals up above? They look pretty darn official and trustworthy. They have Latin phrases and everything.

But seriously, you can trust us. We're semi-reputable individuals (Collin Mulliner,Jon Oberheide) with a long history of mobile security research, backed by more reputable organizations (Northeastern University, Duo Security). Did we mention the seals?!? Props for not installing random apps as root without at least thinking that question in your head.

Can I uninstall the ReKey app after running it once?

Careful! You need to keep the ReKey app installed to maintain protection against the Master Key vulnerabilities. Uninstalling ReKey will result in your device becoming vulnerable again.

The ReKey app does not modify your device's software in any persistent manner. Instead, it patches the vulnerability in volatile memory. So running ReKey the first time will patch your device immediately, and ReKey will automatically re-patch it every time you reboot, as long as the app stays installed.