[guardian-dev] What to do about Android "master key" bug
Harlo Holmes
harlo at guardianproject.info
Fri Jul 5 10:48:55 EDT 2013
On Fri, Jul 5, 2013 at 8:04 AM, Nathan of Guardian <
nathan at guardianproject.info> wrote:
> Here is my idea, and it is perhaps a great way to promote GnuPG... we
> could write our GPG APK signature verifier app, that scans your
> installed APKs, and verifies signature files of APKs, when it has an
> associated .sig/.asc.
>
> Perhaps we can maintain a repo of APKs and associated APK sig download
> locations? Could this be built into Weather Repo?
>
Absolutely. And this could be a great way for Daniel McCarney to get on
board to help, if that's feasible. I'm about to hit the road, but more
details when I return to the city...
++++++++++++++++++++++++++
Research Fellow, Head of Metadata
The Guardian Project <https://guardianproject.info>
pgp: 0xA4469630
twitter: @harlo
On Fri, Jul 5, 2013 at 8:04 AM, Nathan of Guardian <
nathan at guardianproject.info> wrote:
> On 07/03/2013 07:54 PM, Harlo Holmes wrote:
> >
> >
> http://threatpost.com/android-vulnerability-enables-malicious-updates-to-bypass-digital-signatures/
> >
> > I hope to check this out in Vegas. I'm not going to Black Hat, but
> DEFCON
> > gets a lot of cross-over...
>
> Yeah, this is kind of a big deal. Perhaps Derek/Lookout will have some
> response.
>
> Here is my idea, and it is perhaps a great way to promote GnuPG... we
> could write our GPG APK signature verifier app, that scans your
> installed APKs, and verifies signature files of APKs, when it has an
> associated .sig/.asc.
>
> Perhaps we can maintain a repo of APKs and associated APK sig download
> locations? Could this be built into Weather Repo?
>
> With F-Droid, we do use a signed repo, but not sure if that helps in
> this context.
>
> Ultimately, the threats here are two-fold:
>
> 1) A malicious app is installed outside of Google Play via email
> attachment, unexpected web download, or faked "system update". It
> installs over actual APK without any prompt.
>
> 2) Google Play forces an update to an app, with the update not coming
> from a developer, but from a hostile adversary who has convinced Google
> that you are a threat.
>
> #2 is already possible with Google Apps themselves, so there isn't
> really a change.
>
> #1 can be blocked if you disable "unknown location" installs, but that
> leaves you only with #1 as an option for app installs.
>
> Anyhow, brought this discussion over to guardian-dev to see what people
> think, and figure out if there is anything we can or should do to
> response to this fairly fundamental Android bug.
>
> +n
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130705/aeda5439/attachment.html>
More information about the Guardian-dev
mailing list