A few weeks ago the "Master Key" APK verification vulnerability rocked the Android security landscape... then immediately stopped rocking it, once Google revealed that they had patched the vulnerability months ago. Still, that's little comfort to users who aren't on a brand-new 4.2 phone (or, you know, a Nexus device that gets real updates). CyanogenMod has responded by patching all of its official ROMs (twice), and now noted security firm Duo has teamed up with Northeastern University's SecLab to do the same for all Android rooted users, regardless of their device. The patch is called "ReKey," and it's from both the Play Store and the ReKey website.

unnamed (22) unnamed (23)

The fix for Android is not a complex one. the Master Key exploit sidesteps Android's built-in signature verification by duplicating file names and hosting dummy versions of system-level apps, replacing them with malicious versions that have theoretical control of the entire device. It's as well to note that no uses of this exploit have been found "in the wild," but it was still comforting to know that Google had patched the issue itself back in February. It was less comforting to hear that nearly every device that wasn't getting semi-constant updates from Google was still vulnerable (and Nexus devices as well for the second Master Key exploit), with the notable exception of the Google Editions of the Galaxy S4 and HTC One (both running Android 4.2.2) and the vanilla S4 as well.

The good news about Duo Security's ReKey is that it's free, and it's the real deal. Duo made a name for themselves publishing some holes in Google's Play Store Bouncer defense system, then making the X-Ray vulnerability scanner, which reliably finds (but not eliminates) serious security holes on devices. ReKey was developed by security engineers from Duo and the Systems Security Lab at Northeastern University. They know what they're talking about. The bad news is that the ReKey application needs root permissions itself to do its thing and update your device's security. It's a pretty inevitable restriction that nonetheless means the vast majority of Android users will have to wait a long time for their device manufacturer - or even longer for their wireless carrier - to issue an official patch.

Still, for advanced users who aren't running the latest hardware or a custom ROM, which covers a considerable portion of those of you reading this, ReKey is a great solution for the moment. You can download the app itself from the website below, and the Play Store version is live as well. It's compatible with all devices running Android 2.0 and higher.

Source: Duo Security ReKey