11mo ago

Missing signs: how several brands forgot to secure a key piece of Android

rtx.meta.security Missing signs: how several brands forgot to secure a key piece of Android

We recently discovered that Android devices from multiple major brands sign APEX modules—updatable units of highly-privileged OS code—using private keys from Android’s public source repository. Anyone can forge an APEX update for such a device to gain near-total control over it. Rather than negligen...

You're viewing a single thread.

4 comments

I have the December 5 security patch. Is there still a chance that my device is not secure?
- Give the article a read. Your answer is right at the top.
  
  I asked after reading the article. It mentions December 5 but also has bits about:
  November 7th, 2023: Google updates the Partner Security Advisory to add the CVE number and a note that only “builds … claiming the 2023-12-05 SPL or higher” will be subject to BTS enforcement on December 4th
  It still leaves an ambiguity if your device is properly patched, today January 31.
- You shouldn’t be vulnerable to this