[guardian-dev] What to do about Android "master key" bug
Daniel McCarney
daniel at binaryparadox.net
Mon Jul 8 10:20:59 EDT 2013
Some concrete details have emerged:
https://jira.cyanogenmod.org/browse/CYAN-1602
and a POC:
https://gist.github.com/poliva/36b0795ab79ad6f14fd8
It boils down to the way that Android handles duplicate entries in the APK. It
appears you can add two files of the same name and have only one of them match
the signature defined in CERT.SF.
- Daniel
On 07/05, Nathan of Guardian wrote:
> On 07/03/2013 07:54 PM, Harlo Holmes wrote:
> >
> > http://threatpost.com/android-vulnerability-enables-malicious-updates-to-bypass-digital-signatures/
> >
> > I hope to check this out in Vegas. I'm not going to Black Hat, but DEFCON
> > gets a lot of cross-over...
>
> Yeah, this is kind of a big deal. Perhaps Derek/Lookout will have some
> response.
>
> Here is my idea, and it is perhaps a great way to promote GnuPG... we
> could write our GPG APK signature verifier app, that scans your
> installed APKs, and verifies signature files of APKs, when it has an
> associated .sig/.asc.
>
> Perhaps we can maintain a repo of APKs and associated APK sig download
> locations? Could this be built into Weather Repo?
>
> With F-Droid, we do use a signed repo, but not sure if that helps in
> this context.
>
> Ultimately, the threats here are two-fold:
>
> 1) A malicious app is installed outside of Google Play via email
> attachment, unexpected web download, or faked "system update". It
> installs over actual APK without any prompt.
>
> 2) Google Play forces an update to an app, with the update not coming
> from a developer, but from a hostile adversary who has convinced Google
> that you are a threat.
>
> #2 is already possible with Google Apps themselves, so there isn't
> really a change.
>
> #1 can be blocked if you disable "unknown location" installs, but that
> leaves you only with #1 as an option for app installs.
>
> Anyhow, brought this discussion over to guardian-dev to see what people
> think, and figure out if there is anything we can or should do to
> response to this fairly fundamental Android bug.
>
> +n
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130708/13cbfe5e/attachment.pgp>
More information about the Guardian-dev
mailing list