[guardian-dev] Vulnerabilities with Custom Permissions

Daniel McCarney daniel at binaryparadox.net
Thu Feb 13 14:10:01 EST 2014


The always clear spoken Mark Murphy wrote an interesting blog
post[1] & analysis[2] of custom permissions in Android. Specifically how
the interaction between apps defining custom/signature permissions can
be subverted in subtle ways based on the order of application install.

Might be worth adding as a footnote to Hans' "Improving trust and flexibility
in interactions between Android apps" blog post[3] as it mentions custom
permissions as a means to gate access to Activities.

- Daniel

[1] http://commonsware.com/blog/2014/02/12/vulnerabilities-custom-permissions.html
[2] https://github.com/commonsguy/cwac-security/blob/master/PERMS.md
[3] https://guardianproject.info/2014/01/21/improving-trust-and-flexibility-in-interactions-between-android-apps/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140213/41943bfb/attachment.pgp>


More information about the Guardian-dev mailing list