# (Easy) Patch for masterkey vulnerabilities



## quickdraw86 (Jan 30, 2012)

By now, most android users have likely heard of the masterkey exploit which affects millions of android devices worldwide. The exploit(s) which allow malicious hackers to add malicious code to an .apk file or .zip without altering the encryption signature, can allow those individuals to gain total remote control over an android device onto which such files are installed. These exploits were first discovered by independent security firm Bluebox, and they notified Google of the risks, but google didn't push out the patches until June or July of 2013. OEM roms or updates to them before that don't include the masterkey fixes. Users that install applications from locations besides the play store are at the largest risk, and though Google does scan playstore apps for exploits like this, it's very possible that one could slip through.

More about the android masterkey vulnerability:

http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

Luckily, the patch has been made easy to install for users of affected devices via an xposed framework module.

First, you'll need the xposed installer application:

http://forum.xda-developers.com/showthread.php?t=1574401

Download the latest version of the app, allow installation from unknown sources in security settings, and install. Install the framework, and reboot. Go back to security settings and disallow installation of apps from unknown sources if you wish.

At this point, visit the playstore and download bluebox's masterkey scanner app:

https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner

Open the app and let the scan run. The result should be that your device is vulnerable to the first two masterkey vulnerabilities:

8219321 (1st)
9695860 (2nd)

Return to the play store and download the masterkey fix app:

https://play.google.com/store/apps/details?id=tungstwenty.xposed.masterkeydualfix

After the app has been installed, open the xposed installer app, go to the modules section, enable the masterkey module. Reboot. Profit.

You can run the bluebox scan app again to make sure the module took if you wish, and uninstall the scanner app as well if you'd like.


----------

