Android OEMs slow to roll out Bluebox Security patch

Google released the Bluebox Security fix days ago but only a handful of OEMs have released the patch to customers. On the bright side, there's now an Android app available to scan for the security hole.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The scary news was that Bluebox Security had worked out a way to break Android's security model. In theory, this could be exploited with almost any Androids apps. The hopeful news was that Google quickly released a patch for the security hole to phone original equipment manufacturers (OEM)s . The annoying news is that almost none of the OEMs have released the patch.

OEMs are being painfully slow about releasing the Bluebox Security patch, but Bluebox itself has released a scanner app for it.

Worse still, there's now a proof of concept for the security hole. This proof of concept means that as surely as the sun will rise in the east in the morning we'll soon see real malware using it.

What's a user to do? Well, for starters, there's no real need to panic if you just follow a few simple, security rules with your Android device to avoid apps that have been compromised with this exploit.

What the OEMs should be doing, and for the most part aren't, is releasing the patch so there will be no reason to worry about it. At this time, the only Android smartphones and tablets I'm certain have have the patch are the Samsung Galaxy S4, the HTC One, and hardware using the latest version of the alternative Android firmware CyanogenMod.

According to Gina Scigliano, Google's Android Communications Manager, Google has "not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue - and Verify Apps provides protection for Android users who download apps to their devices outside of Play." Verify Apps in a security program in Android 4.2 and higher. It scan any apps you want to download and install against Google’s database of safe apps.

Scigliano also said that "Nexus devices will receive the fix in an upcoming software update."

In the meantime, if you want to make darn sure that there are no compromised apps on your system Bluebox Security has released an Android program, Bluebox Security Scanner for apps that try to take advantage of this security flaw.

In addition, Bluebox Security Scanner checks to see if your device is vulnerable or patched for the Bluebox "Master key" security flaw. The scanner also checks to see if your system is set to allow non-Google Play application installs. Non-Google Play Android markets are the most likely vector for any corrupted Android apps.

To sum up, if you're careful about where you download your Android software you should be safe whether your system is patched or not. That said, it would sure be nice for the OEMs to get on with integrating Google's patch into their customized versions of Android so we can all have safer devices and we wont need to worry about the problem anymore at all.

Related Stories:

Editorial standards