Missing signs: how several brands forgot to secure a key piece of Android
Missing signs: how several brands forgot to secure a key piece of Android
We recently discovered that Android devices from multiple major brands sign APEX modules—updatable units of highly-privileged OS code—using private keys from Android’s public source repository. Anyone can forge an APEX update for such a device to gain near-total control over it. Rather than negligen...
You're viewing a single thread.
I have the December 5 security patch. Is there still a chance that my device is not secure?
Give the article a read. Your answer is right at the top.
I asked after reading the article. It mentions December 5 but also has bits about:
November 7th, 2023: Google updates the Partner Security Advisory to add the CVE number and a note that only “builds … claiming the 2023-12-05 SPL or higher” will be subject to BTS enforcement on December 4th
It still leaves an ambiguity if your device is properly patched, today January 31.