[PATCH] Everything about Android "Master Key" Vulnerability

Hello everybody!

You might have heard of the notorious "Master Key" Vulnerabilty that affects 99% of Android devices. It basically allows a knowledged attacker to access all private and application data. For more information visit: http://bluebox.com/corporate-blog/bl...id-master-key/.

CM team has recently (on 7th July) committed the fix for the patch. Here it is: https://github.com/CyanogenMod/andro...3d16fdbc19f1f8. Gerrit link: http://review.cyanogenmod.org/#/c/45251/

As reported by @parmarket, it is vulnerable as I expected. But not anymore! I've created a patch from the differences of an older and a newer, patched core.jar from CM 10.1.

Things in attachment:
  • A before and an after screenshot
  • The patch
  • XWLP8 core.jar patched (This is very likely to work on other ICS roms as well.) -> How to install? Replace the core.jar file in '/system/framework/' (create a backup first to be sure) and wipe dalvik cache in recovery. Or another method: delete all files from '/data/dalvik-cache/' (don't delete the directory). Of course this needs root.

List of invulnerable (patched) roms:
  • CM 10.1.1 experimental
  • CM nightlies starting from 8th July (There isn't any build on 7th July.)

Any other roms that are not in the list are vulnerable! If you bump into this thread, please test the rom you are using and report so I can extend the list. Thx! Perform the test with this app: https://play.google.com/store/apps/d...onerootscanner.

Every custom modification to devices have risks. Use this at your own risk!

Have fun and enjoy!