ReKey: Fixing Android's Master Key Vulnerability

Tuesday, July 16, 2013

  • Safely patch the Master Key vulnerabilities on your rooted Android device.
  • Avoid waiting months or years for your carrier to deliver a security update.
  • Created by your friendly neighborhood security experts at NEU and Duo Security.

What is ReKey?

Earlier this month, RFP from BlueBox published a sneak preview of his upcoming BlackHat talk, detailing a vulnerability in the Android platform that affects nearly all Android devices. Soon after, a vulnerability of similar nature and impact was published on Chinese forum. Both of these “Master Key” vulnerabilities allow an attacker to modify the code of an Android package without affecting the signature of the package as verified by the package manager, which has serious implications when considering system-signed packages. From an end user perspective, the vulnerabilities allow an attacker to take full control of a user’s device.

So, bugs happen. Sometimes really bad bugs happen. Most of the time these really bad bugs like the ones discovered get patched and deployed to users quickly. In this case, the vulnerabilities were both patched quickly in the Android Open Source Project (AOSP) by Google. Unfortunately, due to the way updates are handled in the Android software ecosystem, the responsibility falls upon the OEMs and carriers to take the upstream AOSP fixes and deploy them to users. Indeed, there is often a period of months and sometimes years where Android vulnerabilities go unpatched since carriers are notoriously slow in rolling out security patches to their users. Last year, we reported that over 50% of Android devices worldwide have unpatched vulnerabilities from the result of our DARPA-funded X-Ray project. With the recently-disclosed vulnerabilities, that number will spike to nearly 100% until carriers are able to adequately patch their subscribers' devices.

Enter ReKey. ReKey is the result of an ongoing research collaboration between Northeastern University’s SecLab research group and Duo Security. It is a mobile app for the Android platform that, in essence, takes the upstream patch from Google and deploys it in a safe and non-destructive manner on your device. The end result is that Android users are able to immediately protect their Android phone from the “Master Key” vulnerabilities, without having to wait on security updates from their mobile carrier. For more technical details, see below.

We’re releasing the first beta of the ReKey app today to get more widespread testing and allow users to protect themselves. If you experience any incompatibilities on your device, please shoot us an email at rekey@duosecurity.com along with your device model and Android version number.

Slow vendor security patches used to be a huge problem in the traditional (non-mobile) computing space. It wasn’t uncommon to see third-parties step in and release unofficial hotfixes to vulnerabilities before the vendors were able to roll them out. Since then, desktop software vendors have been able to step their game up and deliver patches in hours instead of months. We’re doing the same for mobile, in hopes carriers will eventually improve their practices. Until then, ReKey and similar efforts will play an important role in improving the overall state of mobile security. Don’t hold your breath.

Who is behind ReKey?

Northeastern University

The Systems Security Lab at Northeastern University (NEU SecLab) has a focus on practical security research, and is active in a number of areas spanning systems and network security. Particular research interests include mobile security, web security, security applications of program analysis, botnets, and malware. SecLab researches tools and techniques for making the Internet a safer place.

Learn more about NEU SecLab

Duo Security

Duo Security is the easiest two-factor authentication service to deploy, administer, and use. Over 1,000 organizations in over 80 countries rely upon Duo to prevent online account takeover and data theft. Backed by Google Ventures and True Ventures, Duo has been deployed by some of the most security-conscious organizations on the planet along with 3 of the top 5 social networks.

Learn more about Duo Security

How does ReKey work?

ReKey is based on a dynamic instrumentation framework for Dalvik bytecode. Both “Master Key” vulnerabilities are present in software that is written in Java and is executed in the Dalvik VM. ReKey injects a small piece of code into the running Android framework. The code dynamically patches the ZipEntry and ZipFile classes to interpose on the vulnerable routines and thereby fix the root cause of the bugs. In addition to fixing the bugs, ReKey installs a warning system that alerts the user when they attempt to install an APK that abuses the vulnerabilities.

Why does my device need to be rooted?

In order to patch the vulnerabilities on your device, ReKey requires escalated privileges. Normal unprivileged applications on stock Android devices do not possess such privileges, hence the need for a rooted device with the Superuser (or similar) application.

Wow, that sounds lame, huh? Well, to make things more interesting, it is technically possible for the ReKey app to exploit the unpatched vulnerability in order to gain the privileges needed to patch that vulnerability. However, distributing a reliable exploit that could be re-used by malicious parties may not be in the best interest of public safety. That being said, if a weaponized exploit was observed being used publicly in the wild for nefarious purposes, that would “change our calculus” or whatever the phrase is these days. Stay tuned.

Why aren’t the “Master Key” vulnerabilities patched?

Good question! The short answer is that mobile carriers are slow and conservative when supplying security patches (and Android updates in general) to their users. The end result is that users and their devices are left exposed to public vulnerabilities for months or even years.

The longer answer is the subject of our DARPA-funded X-Ray project. The software underlying a modern mobile device is controlled by many parties. Google may be in charge of the base Android Open Source Project, but a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third-parties, not to mention all the open source components (Linux kernel, WebKit, libraries) owned by various project maintainers. When a vulnerability is discovered, coordinating with the responsible parties isn’t a trivial task. You’d probably lose if you tried to play Six Degrees of Separation with the developer who introduced the vulnerability, and the party who’s responsible for patching it.

Long story short: users don’t receive critical security updates in a timely fashion. Bad things result.

Why are the “Master Key” vulnerabilities dangerous?

If your device is vulnerable to one of the “Master Key” security flaws that were recently disclosed, a malicious attacker may exploit the vulnerabilities to gain full, unrestricted control over your Android device. While the apps you install from the Google Play store are normally restricted by the permissions you grant them and constrained by the Android sandbox, these vulnerabilities allow a malicious application to escalate privileges and perform any action they desire without you knowing.

Can I trust ReKey with root access on my device?

Did you see those seals up above? They look pretty darn official and trustworthy. They have Latin phrases and everything.

But seriously, you can trust us. We’re semi-reputable individuals (Collin Mulliner, Jon Oberheide) with a long history of mobile security research, backed by more reputable organizations (Northeastern University, Duo Security). Did we mention the seals?!? Props for not installing random apps as root without at least thinking that question in your head.

Can I uninstall the ReKey app after running it once?

Careful! You need to keep the ReKey app installed to maintain protection against the Master Key vulnerabilities. Uninstalling ReKey will result in your device becoming vulnerable again.

The ReKey app does not modify your device’s software in any persistent manner. Instead, it patches the vulnerability in volatile memory. So running ReKey the first time will patch your device immediately, and ReKey will automatically re-patch it every time you reboot, as long as the app stays installed.

Why does Bluebox’s scanner say my device is still vulnerable?

Bluebox’s scanner uses a method of vulnerability checking that does not take into account ReKey’s patching mechanism. To be clear, ReKey will patch the vulnerability on your device, even if the Bluebox scanner does not detect the patch correctly. Bluebox is working on an update to the scanner to interoperate with ReKey.

To verify that your device has been patched, you can attempt to install a PoC APK to test whether it is properly blocked by ReKey. If you observe the INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING error when attempting to install the PoC APK via “adb install”, you are patched:

$ adb install rekey-poc.apk 
2755 KB/s (64844 bytes in 0.022s)
pkg: /data/local/tmp/rekey-poc.apk
Failure \[INSTALL\_PARSE\_FAILED\_CERTIFICATE\_ENCODING\]

If you run “adb logcat” during the install process, you should see the following output indicating that ReKey has blocked the attack:

W/PackageParser(  391): java.util.zip.ZipException: duplicate zipEntry, security breach!

Ready to take back control of the security of your Android device?

Copyright © 2021 - Jon Oberheide