Will Verduzco · Jul 18, 2013 at 08:00 pm

Xposed Patch for Master Key and Bug 9695860 Vulnerabilities

By now, you’ve undoubtedly heard of the Android Master Key vulnerability, which allows a malicious payload to be inserted in an application that is installed, due to a discrepancy between signature verification and app installation. The vulnerability has been known for some time, having been responsibly disclosed by Bluebox back in February, and patched a couple of weeks ago.

Another vulnerability, also known officially as Bug 9695860, works in a similar fashion and results in the installation of an unwanted malicious payload from a seemingly innocuous file. It, just like its predecessor, has also been patched a little over two weeks ago by Google.

Unfortunately, while these vulnerabilities have since been patched by Google and incorporated into a handful of OEM firmware updates, not every manufacturer has been so expedient. And given the usual delays ranging from laziness and lack of profitability to technical complexity, there’s really no telling as to when they will make their way into the majority of end-user devices. The aftermarket community’s quite a bit better, though. Case in point, CyanogenMod 10.1 has had the fix merged ever since July 7th.

However, while quite a good number of people run CM10.1 and derivative kanged ROMs, obviously not everyone is running CM10.1 on his or her device. After all, a good number of people enjoy running modified stock ROMs in order to preserve the original look and feel or OEM-specific features. And there are other source-built ROMs that just haven’t been updated to include the upstream fixes.

So what are stock firmware + root users to do in order to be safe? Well first off, said users should refrain from installing APKs that don’t come from trusted sources such as Google Play. However, we realize that this isn’t a true solution. To deliver that, XDA Recognized Contributor Tungstwenty came up with an Xposed module that patches both vulnerabilities in one go.

Previously, we’ve seen Recognized Developer rovo89‘s Xposed Framework used for quite a few modifications ranging from alleviating issues in recent Android revisions to managing permissions to loading the borderline malware (I kid, I kid) Facebook Home. However, we’ve not yet seen the framework used to deliver a fix for a vulnerability in such a manner. (Those wishing for a primer on the fantastic Xposed Framework should visit our write-up from a few months back.)

As expected from any Xposed-based modification, installation of Tungstwenty’s Xposed Module is incredibly simple. In his words:

1. Make sure the Xposed Framework is installed.
Follow the instructions on the thread. Root is required only during installation, it is no longer required afterwards. Only ICS or above is supported.

2. Install the Master Key dual fix module.

3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key dual fix

4. Reboot the device (a Soft reboot is sufficient)

You should now see an image similar to the attached one. The green text shows that the module is active and the 2 vulnerabilities have been patched.

Those who would like to learn more about the vulnerability should visit this thread by Recognized Developer Adam77Root, which explains it in a little bit greater detail. It also outlines which ROMs would and would not be affected. Until you’re patched by either installing this Xposed patch or updating to the latest CM10.1 nightly, we advise that you only install APKs from trusted sources such as the Google Play store.

Head over to Tungstwenty’s modification thread to get your fix… literally.


_________
Want something on the XDA Portal? Send us a tip!

Will Verduzco

willverduzco is an editor on XDA-Developers, the largest community for Android users. Will Verduzco is the Portal Administrator for the XDA-Developers Portal. He has been addicted to mobile technology since the HTC Wizard. But starting with the Nexus One, his gadget love affair shifted to Google's little green robot. He is also a Johns Hopkins University graduate in neuroscience and is now currently studying to become a physician. View willverduzco's posts and articles here.
Mario Tomás Serrafero · Apr 18, 2015 at 10:00 am · 4 comments

Open War for Open Android: Antitrust for Cyanogen?

Android and openness is something we talk about all the time, but the recent developments in the industry point towards inherent flaws with this very premise. Be it from bloggers, political institutions or corporations, Android is seemingly not open enough. The “War on Openness” is ironically becoming an open war, where many players are increasing their stakes and scope to try and land a bigger hold - or at the very least, restrict Google’s - on what is the world’s...

XDA NEWS
Emil Kako · Apr 17, 2015 at 01:22 pm · 3 comments

What Do You Do with All of Your Old Photos?

Smartphone cameras have advanced so tremendously over the past few years that they have almost completely replaced point and shoot digital cameras for the most of us. Furthermore, since our smartphones are always with us, the majority of us end up taking tons of photos throughout the lifespan of our devices. But what happens to all the old photos you take? Do you store them on an external hard-drive or keep them backed up to an online cloud service like Flickr? Let us know what your favorite way of storing old photos is and why.

DISCUSS
Faiz Malkani · Apr 17, 2015 at 01:04 pm · 1 comment

Diving into the April 2015 Material Design Update

Before the release of Android 5.0 Lollipop, the Holo Design guidelines served as the official reference for Android design, right from IceCream Sandwich to KitKat. However, updates to the guidelines were few and far between, leading to a lack of synchronization between Android design and current UI/UX trends. Google seems to have learned from their mistake the last time around, and earlier this week, a significant update was released for the Material Design guidelines, marking the second revision in less...

XDA NEWS
Share This