[guardian-dev] Bazaar/F-Droid: Two-tap vs One-tap provisioning

[Michael Rogers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 20/03/14 13:22, Nathan of Guardian wrote:
> 1) Injecting data into the APK in a way that doesn't cause problems
> with the built-in signature (which isn't a signature of the whole
> APK/JAR file, just the relevant android bits).

I'm slightly alarmed that this is possible. Which parts of the APK are
vulnerable to injection?

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJTMWaHAAoJEBEET9GfxSfMVX4IAJZrDlb/kbU5mG7NsKrBQiSw
Psn82G8/KNJqINro+N6XCKSyvosCoF+pIzSQ8EwPHJhYit31/txfeavS2trOxLvw
wz0nuZPbGvTqWXb1yq/loMIS/xkr+0WevmlYD/DUduV4UPnGaLmp23y36EVFVmgD
6OOEx9SnP+wxFtswtXFYXa8jKT3A3CXRtGG/9LVsUB6LQvihdstOM6nnPGuS5b2A
I1Xp62KnQ3e3/Duh1ix00s3C7FgTxuK7kVMvdaKqhSxzQxkJTgKLVDzBfeQw/p+f
vh1dOmYzcki+owzLoshDssbxt4mjjRbTnjADf2PzA3M9kQv18IfsH+Mn6p9g0o0=
=DpBQ
-----END PGP SIGNATURE-----