Scan your device for Android "Master Key" bug and status

[stevv]

Bluebox (the one who discovered the vulnerability) released a free app to tell you the status of the fix on your device.

 

I just grabbed the free app, and it tell you a few useful things, besides if you have vulnerability or not.  I didn't know I had non-market installs "allowed".

 

http://bluebox.com/corporate-blog/free-scanner-to-manage-risk-of-major-android-vulnerability/

 

 

 

 

edit: added pix of my phone instead of generic image of app

 

 

 

 

[Coombzy]

hopefully every carrier is making the fix a priority update on all phones old or new but I doubt they care about the old ones :3 

[Wesley]

i have a Nexus 4 fully up to date you think Google would of had this patched by now cause it still says i'm unpatched

[stevv]

i have a Nexus 4 fully up to date you think Google would of had this patched by now cause it still says i'm unpatched

 

There isn't that may nexus devices so I would expect they have it already too.  Also make me wonder when people who have custom ROM's say they already have it patched.

 

 

 

hopefully every carrier is making the fix a priority update on all phones old or new but I doubt they care about the old ones :3 

 

I doubt motorola/google will update my droid x though.  Though if this exploit is as powerful as they say, then it might be possible to do your own exploit on the device and get rid of all the extra fluff on your own phone.

[Cypher32]

How is my Nexus 4 still vulnerable... shouldn't Google patch the Nexus line first

[Frix]

How is my Nexus 4 still vulnerable... shouldn't Google patch the Nexus line first

 

My Nexus 4 is updated but I have CyanogenMod, you will get an update very very soon thats the advantage of having a nexus device 

[loepa]

Let's say if I found that my found is vulnerable.

 

I heard google fixed the bug.

 

But how can I actually get the patch?

[Chevaishr]

yeah google fixed the bug like yesterday or the day before or somthing ... it will roll out to nexus devices soon and woh ever has CyanogenMod well those guys patched it already. 

[Fetzie]

Let's say if I found that my found is vulnerable.

 

I heard google fixed the bug.

 

But how can I actually get the patch?

Hope that your mobile phone carrier can be bothered pushing the fix. However, given the lack of enthusiasm to push out any kind of update whatsoever, I doubt that any phone older than 12-18 months will get the fix deployed.

[Raid]

According to the app my Galaxy S2 is patched.

[stevv]

According to the app my Galaxy S2 is patched.

 

That's pretty quick.  Did you get update from your provider?

[neon]

How many people have downloaded an app not from the Play store and then checked the cryptographic key to make sure it is legit.

As has already been said this problem only can affect apps not installed through the Play store, also why does this 'checker' app need full network access?

However it does highlight the single largest flaw in Android, that all updates even security ones have to be created and supplied by the manufactures and, if you have a network bloatware device, then vetted by the mobile network, which because they want you to upgrade to a new phone they are reluctant to push out.

@stevv Some Samsung Touchwizz devices are already immune because of the modifications Somsung do.

So to sum up if you install apps outside the Play Store cross your fingers and toes you get an update, if you only have installed apps through the Play Store (which I'm willing to bet a humongous percentage of people only do) then this is a non issue.

[nothingspecial]

Well that's nice. £350 HTC One X, no patch. £99 Acer tablet, patched!

[loepa]

Hope that your mobile phone carrier can be bothered pushing the fix. However, given the lack of enthusiasm to push out any kind of update whatsoever, I doubt that any phone older than 12-18 months will get the fix deployed.

Well that's screwed :| remembering that I live in a country where most of people have blackberry. Isn't there any way I can get the patch without waiting for my carrier?

[stevv]

How many people have downloaded an app not from the Play store and then checked the cryptographic key to make sure it is legit.

As has already been said this problem only can affect apps not installed through the Play store, also why does this 'checker' app need full network access?

However it does highlight the single largest flaw in Android, that all updates even security ones have to be created and supplied by the manufactures and, if you have a network bloatware device, then vetted by the mobile network, which because they want you to upgrade to a new phone they are reluctant to push out.

@stevv Some Samsung Touchwizz devices are already immune because of the modifications Somsung do.

So to sum up if you install apps outside the Play Store cross your fingers and toes you get an update, if you only have installed apps through the Play Store (which I'm willing to bet a humongous percentage of people only do) then this is a non issue.

 

Yeah, I question at times when an apps want full network access.  I remember when I was looking for a stopwatch app, and the most popular ones all have full network access.  I had to go down the list till I found one without funky access permissions.  Sad part is that the updated version of that app wants network access.. so no update.  Sorry, I digress.  

 

 

From Blueobox FAQ (pdf)

If a user only installs apps from Google Play, then there is no problem, right?

 

Yes, since Google has claimed to taken steps to “inoculate” Google Play for this problem due to Bluebox’s disclosure of the problem. However, the practical reality is the Google Play is not the 

only app store used by the Android ecosystem. Markets such as Amazon, GetJar, SlideME, etc. also service large amounts of the Android population. Device manufacturers such as Samsung 

and HTC have their own vendor-specific markets, with the market clients included by default on the device. Our test Samsung Galaxy S4 has the “Samsung Apps” market pre-installed, and our test 

HTC One X has the “HTC Hub” market pre-installed. Blackberry supports Android apps, but those apps must be sourced from the Blackberry World market. Further, there are geographical regions 

that are not serviced by Google Play at all, or the societal/cultural dynamics in that region are such that an alternate app market is preferred (e.g. Baidu app market in China). Going further we get 

into the realm of users who knowingly pirate applications, or side-load them via Android Debug Bridge (ADB).

 

 

 

 

Well that's screwed :| remembering that I live in a country where most of people have blackberry. Isn't there any way I can get the patch without waiting for my carrier?

 

It's the same with me, I have verizon and droid x.  I doubt they will update since they did everything they could to lock the phone (even when moto said they wouldn't).  Just have to be mindful of the app you installing, and the source.  I'll update the OP with more info when I find.

[loepa]

It's the same with me, I have verizon and droid x.  I doubt they will update since they did everything they could to lock the phone (even when moto said they wouldn't).  Just have to be mindful of the app you installing, and the source.  I'll update the OP with more info when I find.

 

It actually took me 2-6 months for the update to roll to my country (last time I use it) Which is sad. This cause problem to my brother S3 with android's old bug where the device will be brick (can't be use in any way other than as 700$ paperweight) because the update is 1 month late.

[stevv]

Latest firmware [45.621.10.MB810.Verizon.en.US] for Droid X patched bug 8219321 and bug 9695860
 
    
 
I guess they finally got started.  Newer Droid Charge (samsung) still not patched.