<div dir="ltr"><div class="im" style="font-family:arial,sans-serif;font-size:13.333333969116211px"><div class="gmail_quote">On Fri, Jul 5, 2013 at 8:04 AM, Nathan of Guardian <span dir="ltr"><<a href="mailto:nathan@guardianproject.info" target="_blank">nathan@guardianproject.info</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="overflow:hidden">Here is my idea, and it is perhaps a great way to promote GnuPG... we<br>
could write our GPG APK signature verifier app, that scans your<br>installed APKs, and verifies signature files of APKs, when it has an<br>associated .sig/.asc.<br><br>Perhaps we can maintain a repo of APKs and associated APK sig download<br>
locations? Could this be built into Weather Repo?</div></blockquote></div><br></div><span style="font-family:arial,sans-serif;font-size:13.333333969116211px">Absolutely. And this could be a great way for Daniel McCarney to get on board to help, if that's feasible. I'm about to hit the road, but more details when I return to the city...</span><br>
</div><br clear="all"><div><div>++++++++++++++++++++++++++</div><div>Research Fellow, Head of Metadata</div><div><a href="https://guardianproject.info" target="_blank">The Guardian Project</a></div><div><br></div><div>pgp: 0xA4469630</div>
<div>twitter: @harlo</div></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jul 5, 2013 at 8:04 AM, Nathan of Guardian <span dir="ltr"><<a href="mailto:nathan@guardianproject.info" target="_blank">nathan@guardianproject.info</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 07/03/2013 07:54 PM, Harlo Holmes wrote:<br>
><br>
> <a href="http://threatpost.com/android-vulnerability-enables-malicious-updates-to-bypass-digital-signatures/" target="_blank">http://threatpost.com/android-vulnerability-enables-malicious-updates-to-bypass-digital-signatures/</a><br>
><br>
> I hope to check this out in Vegas. I'm not going to Black Hat, but DEFCON<br>
> gets a lot of cross-over...<br>
<br>
Yeah, this is kind of a big deal. Perhaps Derek/Lookout will have some<br>
response.<br>
<br>
Here is my idea, and it is perhaps a great way to promote GnuPG... we<br>
could write our GPG APK signature verifier app, that scans your<br>
installed APKs, and verifies signature files of APKs, when it has an<br>
associated .sig/.asc.<br>
<br>
Perhaps we can maintain a repo of APKs and associated APK sig download<br>
locations? Could this be built into Weather Repo?<br>
<br>
With F-Droid, we do use a signed repo, but not sure if that helps in<br>
this context.<br>
<br>
Ultimately, the threats here are two-fold:<br>
<br>
1) A malicious app is installed outside of Google Play via email<br>
attachment, unexpected web download, or faked "system update". It<br>
installs over actual APK without any prompt.<br>
<br>
2) Google Play forces an update to an app, with the update not coming<br>
from a developer, but from a hostile adversary who has convinced Google<br>
that you are a threat.<br>
<br>
#2 is already possible with Google Apps themselves, so there isn't<br>
really a change.<br>
<br>
#1 can be blocked if you disable "unknown location" installs, but that<br>
leaves you only with #1 as an option for app installs.<br>
<br>
Anyhow, brought this discussion over to guardian-dev to see what people<br>
think, and figure out if there is anything we can or should do to<br>
response to this fairly fundamental Android bug.<br>
<span class="HOEnZb"><font color="#888888"><br>
+n<br>
</font></span></blockquote></div><br></div>