[guardian-dev] What to do about Android "master key" bug
Nathan of Guardian
nathan at guardianproject.info
Mon Jul 8 11:05:48 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/08/2013 10:20 AM, Daniel McCarney wrote:
> It boils down to the way that Android handles duplicate entries in
> the APK. It appears you can add two files of the same name and have
> only one of them match the signature defined in CERT.SF.
If there are two of the same file, say classes.dex, or an .so, how
does Dalvik choose which one to load? Or does it load them all?
I suppose the answer must be, it chooses the *wrong* one, at least
part of the time, or at some point, enough to activate the attack.
+n
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJR2tVMAAoJEKgBGD5ps3qpUNoP/12C0ljqIBh5N+mjHbGlT/uK
4cdya2nmtZl+BTnUn9g4J0VDAcQ5UYxjYOctURjkGyZtlC5n96zWJdS9xvQsmPRh
jO7mL4yRKzfHux89ChTs7xWXFD6lDrzd2QslpWrTZrX4+v8jBAp+xn3006Uqgw7F
2r1SHwITqLmDxFxmbZ69f/BnOR0S4TcDPJZzb8m/FZMs7hh/iSNntmi4tFqJq1OP
5DdXLp3P8r6CuWMrnLLo/kwE85rQ7mAYB1BFnDz+Qmytc7Y/osjsD+zmhqD41NN5
4KXNi2R2PE/oSIuwu3fFJF4hV4No0waXnkHfpsBVecymOORDxjpe5/1M5QLOBFUW
8Ma5Pict/VzbMLm9B6IOZQHAaVjL0MMVejqUz8hsmaOXbhIaLZhFfUPMlRNC50Mx
IwWlYaPJPzBqp/CtyxzQjuRWYtyzratuT7mWwwx09zGLotFjeqVkmi/dSqgOpOsg
mb6sLKoO8pIBZT8+WKaSPKfsP1Q9R6BFF+rCqzwH2ISsX0xPxZpdaQVEeOFRbX5W
eJa6XNtdDQrMAboGvAgXtvTGLhiy+IUM1VCFN/JFqughau9lsamMOIqh8VviXpZU
bjd6ubt0W8znLUVIA+KOMgPx4PDF3mSOXjPICSVcy3V+vqKIhoBRrnG0XD/BUY8f
rXeZBimLEUOrx7rSFLOi
=vGVZ
-----END PGP SIGNATURE-----
More information about the Guardian-dev
mailing list