[guardian-dev] Bazaar/F-Droid: Two-tap vs One-tap provisioning

Nathan of Guardian nathan at guardianproject.info
Tue Mar 25 10:13:00 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/25/2014 07:20 AM, Michael Rogers wrote:
> On 20/03/14 13:22, Nathan of Guardian wrote:
>> > 1) Injecting data into the APK in a way that doesn't cause problems
>> > with the built-in signature (which isn't a signature of the whole
>> > APK/JAR file, just the relevant android bits).
> I'm slightly alarmed that this is possible. Which parts of the APK are
> vulnerable to injection?
In short, my impression is, that the signature is not for the entire APK
itself, but for the dex, resources, etc inside of it. How else would you
insert the signature itself inside the APK?

Of course, that may have only been the way it worked before this was
considered a vulnerability, but let's find out!

Otherwise, we do have the capability with Bazaar of re-signing apps on
the device itself.

+n
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTMY7rAAoJEKgBGD5ps3qpYyEP/1Z3s1aJqCDU2jgOTDR3HNYY
2oowx34mjNK7D4Z9dOZhE1cBP0LGdYSvkFAtg/66MOlAetjRigCp1LVmVFNdK2U2
3GWFyUi1kEeq8ka0J2GoZcXowc7HwJu3hIBKbr9Jqi/gY5RRrQ4avJ/I8RAxeID8
6Os4h7K6I1D8PAfY1Ov3sysJzlOSupXGMFMFm0199MsJ9iKA49rKcro+4P5FKEIm
GpAfZxbu/HnHhEcc/7DtiqVA4o6DS9YPGCmoodgFedH0OBWhwhm6c+fC5/Ii0ZUK
3yX+b19TyWFfRgFK47zSRixU2ptssh8RFLRCPGk8tPi68I8zjjCSPoTwbfMZQBAj
+lO9mWOoIQ5I1+jgbsCLIVM0KY2knCVDgwRM5i1EktWbL2S2cRWhe+uKpCU6RPeW
z7GzhJYbIYUGhBzVitDeAXjGo2ziAcS4dmouM7dvIUnLg2nt3pqBqe4Z3b2mmWrD
1tO71rRVh6RjXFSf1uB1QO4TFDAYdsPzDcrUdOqUkrDW0Y00Y98h5SHQ+UZdyMZl
2k/g7CDmDNV8pIIQxhcjpU9G8NPTsDUL4QStBUznL1eFa43HSacZr8K102xHINJw
6fzKfFg5/GEKMBk2x/XJ0OXaiXtU0tuif3mQJoKh/m49waTGkQYcN+3ubtjOH/GS
vVdIuh4TXm6P12rSbfXB
=3Yuj
-----END PGP SIGNATURE-----



More information about the Guardian-dev mailing list