A few weeks ago the "Master Key" APK verification vulnerability rocked the Android security landscape... then immediately stopped rocking it, once Google revealed that they had patched the vulnerability months ago. Still, that's little comfort to users who aren't on a brand-new 4.2 phone (or, you know, a Nexus device that gets real updates). CyanogenMod has responded by patching all of its official ROMs (twice), and now noted security firm Duo has teamed up with Northeastern University's SecLab to do the same for all Android rooted users, regardless of their device. The patch is called "ReKey," and it's from both the Play Store and the ReKey website.

unnamed (22) unnamed (23)

The fix for Android is not a complex one. the Master Key exploit sidesteps Android's built-in signature verification by duplicating file names and hosting dummy versions of system-level apps, replacing them with malicious versions that have theoretical control of the entire device. It's as well to note that no uses of this exploit have been found "in the wild," but it was still comforting to know that Google had patched the issue itself back in February. It was less comforting to hear that nearly every device that wasn't getting semi-constant updates from Google was still vulnerable (and Nexus devices as well for the second Master Key exploit), with the notable exception of the Google Editions of the Galaxy S4 and HTC One (both running Android 4.2.2) and the vanilla S4 as well.

The good news about Duo Security's ReKey is that it's free, and it's the real deal. Duo made a name for themselves publishing some holes in Google's Play Store Bouncer defense system, then making the X-Ray vulnerability scanner, which reliably finds (but not eliminates) serious security holes on devices. ReKey was developed by security engineers from Duo and the Systems Security Lab at Northeastern University. They know what they're talking about. The bad news is that the ReKey application needs root permissions itself to do its thing and update your device's security. It's a pretty inevitable restriction that nonetheless means the vast majority of Android users will have to wait a long time for their device manufacturer - or even longer for their wireless carrier - to issue an official patch.

Still, for advanced users who aren't running the latest hardware or a custom ROM, which covers a considerable portion of those of you reading this, ReKey is a great solution for the moment. You can download the app itself from the website below, and the Play Store version is live as well. It's compatible with all devices running Android 2.0 and higher.

Source: Duo Security ReKey

Jeremiah Rice
Jeremiah is a US-based blogger who bought a Nexus One the day it came out and never looked back. In his spare time he watches Star Trek, cooks eggs, and completely fails to write novels.
  • millerthyme59


  • Thomas’

    Just out of curiosity - the Google Play Services could not be used to provide security against this security hole, or? I mean, just like Google pushed the APK verification from 4.2 to the Play Services, such that older devices can use it.

    • Christopher Mason

      Maybe it already does and there's no need for apps like this... Google did say they patched it.

  • jason

    That app tells me my device isn't secure and I'm running CM 10.1.2. Not sure I'd trust the app.

    • http://www.about.me/FHL09 Troy

      I don't think it informs you of your device is secure against the Master Key per say but more that your device is secure with ReKey itself.

      Although I could be wrong.

  • awaaas

    there's xposed framework module that do the same thing: http://forum.xda-developers.com/showthread.php?t=2365294

  • Ahmed Maher

    Jeremiah,Are you sure of this?Can we trust this app?The company didn't make an other apps on the play store and this made me suspicious.

    • bb

      Duo Security made Duo Mobile, and it's quite a nice app/service.

      • Ahmed Maher

        Did you try it?

        • bb

          Yes, i actually use it at home (SSH and some other OTP tokens). It's a nice take on 2-factor authentication with their push service.

          • Ahmed Maher

            Okay,That enough for me I'll try it

          • brewmaster

            Paranoid: I don't trust this software.

            Random internet stranger: It's fine!

            Paranoid: Good enough for me. SOLD!


          • Ahmed Maher

            Paranoid doesn't trust this software?Anyway I installed it and there was not button on my screen and no scroll

    • username_already_exists_error

      dug song is part of duo security. he's one of the contributors of openssh and openbsd project. if you know openbsd and openssh, you'll trust him enough. he's also the author of dsniff and also a team member of honeynet project. he does security stuffs long before android existed.

  • Lim Wee Huat

    A temporary solution before we get the patch update...

  • MasterMuffin

    Why does it need root access when the exploit allows system permissions even without root?

    • cottage McKay

      Because its not using the exploit to patch the exploit

      • MasterMuffin

        Obviously, but why not? Nobody's using this exploit to advantage of everyone, they could make the patching available for everyone if they wanted and someone could make a root method using this but nobody's doing anything!

      • wolfkabal

        Though, that would be a nice way to detect if you're even vulnerable. If it can use the exploit, use it to patch itself. If it can't use the exploit, then there's nothing to patch. Then it could cover all users, and not those already rooted. If anything it at least sounds fun in concept.

        • YeahButNo

          Yeah! What an awesome idea! ... uhm not really! Clearly you don't understand what this vulnerability is about... Since Duo Security and other legitimate developers wanna be known for the apps they make, they use play store and ask for SU permissions, they're not gonna tamper with Google Maps update just to prove that they can. If you want there are plenty of websites with APKs of uncertain origin just waiting to take over your precious electronic belongings ;)

          PS: It makes me smile: "To root your device with our method, and patch security holes, just install our Google Maps update" ;)

          • wolfkabal

            I was mostly poking fun at the concept, and their Xray app actually does something close for detecting some of the exploits, so it's not too far off from reality. Obviously it's not practical but from an academia stand point, a fun "thought" process.

  • ProductFRED

    It bootloops my Note 2. Other Play Store reviews say the same.

  • cottage McKay

    Just use the exposed module by the dev who made greenify...

  • JonnyB

    Do you mean that Nexus has been patched by Google already ?

  • Stephen Smithett

    Does not work for the Nexus 4, says it's patched but the Bluebox Security Checker still shows as Unpatched/vulnerable.

    Bluebox Security Scanner : https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner

  • Melissa Peterson

    I used the X-ray scanner and the Bluebox security scanner, an app someone suggested in the comments. Both say my rooted HTC One w/stock Sense ROM does not have any of the vulnerabilities that they check for. It looks like I'm doing alright for the time being.

    Edit: That means I didn't have to apply the patch.

  • flimsy888

    Bootlooped htc one

    • Melissa Peterson

      Did you check to see if it was already protected, because my HTC One is fine after running two apps that check for vulnerabilities. One is X-ray, made by the same company mentioned in the article, and the other is Bluebox security scanner. Both of them said my One was protected. So I didn't see the need to download the app.

  • hp420

    Not that I don't trust this app, but it's just dripping with irony: side loading an app fixes a security hole in the app sideloading system.

  • Alex Esparza-Sandy

    Installed on my Sprint HTC One running ViperROM and it popped up saying I wasn't protected. Don't know what to make of this but I "fixed" it now.