Third-party app released to fix Bluebox Security Android hole

Third-party app released to fix Bluebox Security Android hole

Summary: With OEMs still not releasing Google's fix for the security hole discovered by Bluebox Security researchers have released of a mobile application that fixes the vulnerability.


Almost two-weeks after Bluebox Security announced a vulnerability in Android's security model that could enable attackers to convert most Android applications into Trojans, and more than a week after Google released the fix for it, the vast majority of Android OEMs has yet to patch the hole. So, Duo Security and Northeastern University's System Security Lab (NEU SecLab) have released an app, ReKey, which fixes it for you.

ReKey can fix the Bluebox Security hole on rooted Android devices.

The two organizations claim that with ReKey, Android users can immediately protect their Android phone from Bluebox Security's "Master Key" vulnerabilities, without waiting on security updates from their mobile carrier.

"ReKey is the latest of our research projects designed to make the Internet a safer place," said Collin Mulliner, a postdoctoral researcher at NEU SecLab in a statement. "We hope that ReKey will provide a practical tool for users to protect themselves and, at the same time, raise awareness of the challenges in the mobile security space."

Jon Oberheide, CTO of Duo Security, added, "The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem."

ReKey isn't for everyone though. It will only work on rooted devices.

In the ReKey FAQ, they explain, "In order to patch the vulnerabilities on your device, ReKey requires escalated privileges. Normal unprivileged applications on stock Android devices do not possess such privileges, hence the need for a rooted device with the Superuser (or similar) application."

The fix program itself "is based on a dynamic instrumentation framework for Dalvik bytecode. Both Master Key vulnerabilities are present in software that is written in Java and is executed in the Dalvik VM. ReKey injects a small piece of code into the running Android framework. The code dynamically patches the ZipEntry and ZipFile classes to interpose on the vulnerable routines and thereby fix the root cause of the bugs. In addition to fixing the bugs, ReKey installs a warning system that alerts the user when they attempt to install an APK [Android application package file] that abuses the vulnerabilities."

In addition, the Bluebox scanner that checks for the security hole doesn't register the ReKey fix. So even after you install ReKey, the scanner will still report that your phone has the vulnerability. The ReKey team claims that Bluebox scanner "does not appear to be accurately checking whether the vulnerability is actually present or not."

If this makes you wary of ReKey, I can't blame you. That said, the two organizations have a good reputation and the program currently has a decent rating of 3.8 on the Google Play Store. So, if you have a rooted smartphone or tablet and are nervous about their security, you may want to try ReKey. Users running stock Android on their devices, however, will not be able to use it.

Related Stories:

Topics: Security, Android, Google, Smartphones, Tablets

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Poorly designed OS

    Anybody can do any anything in Android, with apps and developers and thugs exploiting the weak points. 95 percent of android owners are average Joes' who will never hear about this security issue or will update their phone to fix this hole.

    The best solution is to dump android and Google spyware products and adopt competing products like Windows, blackberry or iOS, who has no security issues whatsoever.
    • If you repeat yourself over and over

      You hoping that someone might one day listen to you?
      And not think your a one dimensional MS lover who continually trolls any android article moaning about Google.
      Don't like them mate. Don't use them. Use what you want to.
      Then move on, and let others use what them want to.
      And enjoy the piece and quiet!
      • Perhaps the OS is not poorly designed

        but the support system is non-existent. To release Android without an update system in place is a travesty and borders on criminal. Google scores again with problems worse than MS and I didn't think that was possible.
        • It isn't Google

          It's the carriers. The open source nature of Android allows the carriers to control the updates. Blaming Google for this is simply myopic. Now, if Google could control the update process....
      • My opinion...

        Its my opinion mate, don't like it, please don't read it.
        • ZD-Net: Feature Request

          Can we have "kill file" functionality for these comment boards, please? It would greatly increase my enjoyment of ZD-Net if I never saw a single post from user "(?i)ow[l1]+net" again.
          • then who would read your posts?

    • Sensationalist Headlines/Clickbait

      How many actual exploitations in the wild, documented to date?
      In a flap over a theoretical vulnerability so far.
      If this 'hole' had not been published, probably no blackhat hacker would've ever known about it.
      My Nexus 4, being rooted, is plugged by ReKey, from Google Play Store.
      'Windows, blackberry or iOS' have 'no security issues'? You have no credibility whatsoever.
  • Re: Security Android hole

    Security Android hole ???

    Oh yeah and you guys are always telling us that Android is Linux....

    Food for thought don't you think.
    • Ignorance

      Linux is a kernal, not an operating system. Android uses the Linux Kernal and the exploit is with the Android System. If you are ignorant of something please do not comment on them. The GNU/Linux operating system is a combination of the GNU project's software and the Linux kernal as well as many other opensource projects. It is incorrectly labeled as Linux when it is infact GNU/Linux
      Igos Du Ikana
  • LOL

    From the article:
    "ReKey isn't for everyone though. It will only work on rooted devices."
    Rabid Howler Monkey
    • By necessity, surely?

      Did you expect to be able to tinker with the application authentication code *without* root privileges? And if so, why?
      • I've two thoughts on this fix, besides kudos to Duo Security and NEU SecLab

        1. What percentage of Android device users have rooted their devices? Surely, a very small percentage have achieved this. And these users [mostly] have the chops to keep out of trouble in the first place. The users that need this patch most aren't going to bother with rooting their device.

        2. Coming from a GNU/Linux perspective, why isn't there a relatively easy way for Android device users to access root privileges when necessary (or just if and when they want to) whether the root user actually exists or not? For example, with Ubuntu, the root account is disabled by default and one uses sudo to run a command as root once authentication is provided by the user with sudo privileges. This lock down of Android is reminiscent of Apple's iOS where users must jailbreak their devices to get to root.

        Should there be an easy way for enterprise mobile admins to control the availability of root privileges for their users? Yes. And for consumers, should there be an easy way for device administrators to control the availability of root privileges for device users, very likely family members? Yes. Why not have a setting similar to the one allowing for the installation of apps from unknown sources that enables (and disables) access to root privileges? A simple check box. Of course, Google should have access to root privileges disabled by default and have the setting only accessible to the device administrator.
        Rabid Howler Monkey
        • Good suggestion

          "Why not have a setting similar to the one allowing for the installation of apps from unknown sources that enables (and disables) access to root privileges? A simple check box."

          It would really upset the OEM, I am sure, but I agree with you on that option.
        • Make it too easy and you make it phishable.

          Make it phishable and it will be phished.
          And then you're back to square one with "social engineering", and malware crippling the signature check.

          "The users that need this patch most aren't going to bother with rooting their device."
          True, that is the crux of the problem. They're also *by definition* the users most likely to be fooled if malware were to start asking for root permissions.
          • Yer Right Zogg

            Last few post---intelligent, reasoned discussion. Wow!
            It is a vicious circle you describe. The irony of it.
            Freedom without some parameters is not true freedom, unless each is an island unto themselves.
            Goggle's trafficking in freedom is taken advantage of as Manufacturers, and Carriers each put their own twist and spin on the OS. That make universal patching and upgrading very difficult. And those evil Carrier service locks added also to boot, even after the phone is paid in full.
            You should see the CRTC of Canada's Order taking effect here Dec. 2 re: unlocking. You'll envy us, or maybe just buy your phones up here.
          • I don't see how Google could implement "remote updating" really.

            The "Unpardonable Crime" in any remote update would be to brick someone's device, and there's no way for Google to be *sure* that any remote update would be compatible with any changes that a vendor may have made.

            Users are probably just going to have to learn to dump those Android vendors who refuse to provide security updates quickly enough.
          • Zogg: "Make it too easy and you make it phishable"

            Phishing already occurs on Android by getting an unwary user to click on a malicious link embedded in email and SMS. Root privileges are not required. And if a user has enabled app installation from unknown sources, a malicious Android app can end up installed on one's device.

            In addition, the failure of most users to pay attention to side-loaded Android app permissions prior to installation just makes a bad problem worse. Since app permission screening seems to be over the heads of most Android device users, this points to removing the install apps from unknown sources setting from the OS. Note that plenty of damage can be done to Android device users by installing malicious apps, without users having root privileges, as the users data resides in non-root accounts. All the miscreants need are the right permissions for their malicious apps. And by 'right permissions', I don't mean root privileges.

            If one really cares about phishing, and more generally, Android malware, then this optional setting (install apps from unknown sources) should be removed from the Android OS, locking users into the app store that defaults with their device (e.g., Google Play, Amazon App Store). In this manner, rooting of the Android device would also be necessary to install apps from outside the default app store. This too is reminiscent of Apple's iOS where users must jailbreak their devices in order to install apps from outside Apple's app store.

            Bottom line, IMO, Android should either be open or closed (I vote for open). Right now, it's muddled and is somewhere in the middle. Finally, please answer this question:

            Why is open OK for GNU/Linux, but not for Android?
            Rabid Howler Monkey
          • My point is that root privileges are not currently phishable.

            "Phishing already occurs on Android by getting an unwary user to click on a malicious link embedded in email and SMS. Root privileges are not required."

            At the moment, root privileges are not *available* to be phished either. Unless you root your phone. Which you can, should you so choose.

            "Why is open OK for GNU/Linux, but not for Android?"

            Don't be absurd - Android is open!? As evidenced by your ability to root your phone and customize it however you want.
          • Zogg: "Don't be absurd - Android is open!?"

            "As evidenced by your ability to root your phone and customize it however you want."

            With GNU/Linux, Chrome/Chromium OS excepted, the user has root privileges by default. With Ubuntu, the root account is disabled by default and the initial non-root user account gets root privileges via the sudo command. In addition, the user can enable the root account via the command 'sudo passwd root'. With Debian, both the root and a non-root accounts are created during installation and the initial non-root account is given root privileges via the sudo command. *This* is what 'open' looks like.

            With Android, one must visit a web site such as the following:


            and follow the instructions in order to root one's device. If one is lucky, a universal rooting method will apply to one's Android device. And, if not, one must find a rooting method specific to one's Android device. While this may be open when compared to a Windows RT-based device, it is *not* open when compared to a standard GNU/Linux distro like Ubuntu or Debian, as examples.
            Rabid Howler Monkey