[guardian-dev] Bazaar/F-Droid: Two-tap vs One-tap provisioning
Hans-Christoph Steiner
hans at guardianproject.info
Tue Mar 25 12:10:57 EDT 2014
On 03/25/2014 10:13 AM, Nathan of Guardian wrote:
>
> On 03/25/2014 07:20 AM, Michael Rogers wrote:
>> On 20/03/14 13:22, Nathan of Guardian wrote:
>>>> 1) Injecting data into the APK in a way that doesn't cause problems
>>>> with the built-in signature (which isn't a signature of the whole
>>>> APK/JAR file, just the relevant android bits).
>> I'm slightly alarmed that this is possible. Which parts of the APK are
>> vulnerable to injection?
> In short, my impression is, that the signature is not for the entire APK
> itself, but for the dex, resources, etc inside of it. How else would you
> insert the signature itself inside the APK?
>
> Of course, that may have only been the way it worked before this was
> considered a vulnerability, but let's find out!
>
> Otherwise, we do have the capability with Bazaar of re-signing apps on
> the device itself.
>
> +n
This is an old system. APKs use the standard jar signing method. Things in
the META-INF folder in the jar/apk are not executed. It is this oddness
though that allowed the master key bug to exist.
In any case, I don't think Android will change how they sign APKs, the jar
technique is much too entrenched.
.hc
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 969 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140325/39032a32/attachment.pgp>
More information about the Guardian-dev
mailing list