Missing signs: how several brands forgot to secure a key piece of Android
Missing signs: how several brands forgot to secure a key piece of Android
We recently discovered that Android devices from multiple major brands sign APEX modules—updatable units of highly-privileged OS code—using private keys from Android’s public source repository. Anyone can forge an APEX update for such a device to gain near-total control over it. Rather than negligen...
I have the December 5 security patch. Is there still a chance that my device is not secure?
Give the article a read. Your answer is right at the top.
I asked after reading the article. It mentions December 5 but also has bits about:
November 7th, 2023: Google updates the Partner Security Advisory to add the CVE number and a note that only “builds … claiming the 2023-12-05 SPL or higher” will be subject to BTS enforcement on December 4th
It still leaves an ambiguity if your device is properly patched, today January 31.
You shouldn’t be vulnerable to this