[guardian-dev] What to do about Android "master key" bug
Mark Murphy
mmurphy at commonsware.com
Fri Jul 5 08:37:25 EDT 2013
On Fri, Jul 5, 2013 at 8:04 AM, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> Yeah, this is kind of a big deal.
IMHO, it's not, until the attack is independently verified, and so far
all I have seen about Bluebox's claims come from Bluebox (or the media
reporting on the press release). Too many of these "PR-ware" attacks
have inflated claims.
If you see others reproducing the problem, in advance of Black Hat, let me know.
> Here is my idea, and it is perhaps a great way to promote GnuPG... we
> could write our GPG APK signature verifier app, that scans your
> installed APKs, and verifies signature files of APKs, when it has an
> associated .sig/.asc.
That assumes that the attack involves modifying the APK.
I find it curious that within the past couple of weeks, this question
appeared on StackOverflow:
http://stackoverflow.com/q/17296118/115145
The answer (with its lengthy comment chain) is from Andy Fadden of the
Android development team.
Basically, it discusses an possible attack by which the ODEX files are
manipulated by an attacker, allowing for behavior changes in an app
without having to worry about digital signatures. However, as Andy
wrote:
> The assumption is that, if an attacker is able to replace a .odex file, they have sufficient permission to do any number of other things.
Let's pretend for a moment that what Bluebox is talking about is this
attack. In that case, "99% of Android devices" are at risk... if you
know of a privilege escalation attack that can be used without
significant user involvement, as (AFAICT) it requires root or running
as a specific system account to be able to modify the ODEX files. That
would dramatically reduce the scope of the *actual* threat, yet allow
the PR-ware to be the "least untruthful".
--
Mark Murphy (a Commons Guy)
http://commonsware.com | http://github.com/commonsguy
http://commonsware.com/blog | http://twitter.com/commonsguy
In questi siti web puoi chiedere o rispondere a domande relative allo
sviluppo di applicazioni Android: http://www.andglobe.com
More information about the Guardian-dev
mailing list