Duo Security announced the availability of an Android utility dubbed “ReKey” (http://www.rekey.io/) on Tuesday. The tool allows Droid users to patch the so-called “Master Key” vulnerability on Android devices, even in the absence of a security update from Android handset makers (OEMs) and carriers who service the phones, according to a post on the Duo Security blog.
In an e-mail exchange with The Security Ledger, Jon Oberheide, the CTO of Duo Security, said that ReKey provides an in-memory patch for the master key vulnerability, dynamically instrumenting the Dalvik bytecode routines where the vulnerability originates, patching it in-memory. Oberheide said that ReKey will also”hook” (or monitor) those routines to notify you if any malicious applications attempt to exploit the vulnerability.
Despite the availability of a patch since March, many Android users remain vulnerable to attacks that take advantage of the application signing flaw. That is because Android handset makers have been slow to issue updates for their Droid handsets. For platforms (HTC and Samsung) that have been patched, carriers delayed the rollout to customers further.
“The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,” said Oberheide. However, the fragmentation of the Android ecosystem is significant enough that it is no longer feasible for Google to take over responsibility for distributing patches. Third parties may need to step in to fill the void.