[guardian-dev] Bazaar/F-Droid: Two-tap vs One-tap provisioning

Hans-Christoph Steiner hans at guardianproject.info
Tue Mar 25 12:10:57 EDT 2014



On 03/25/2014 10:13 AM, Nathan of Guardian wrote:
> 
> On 03/25/2014 07:20 AM, Michael Rogers wrote:
>> On 20/03/14 13:22, Nathan of Guardian wrote:
>>>> 1) Injecting data into the APK in a way that doesn't cause problems
>>>> with the built-in signature (which isn't a signature of the whole
>>>> APK/JAR file, just the relevant android bits).
>> I'm slightly alarmed that this is possible. Which parts of the APK are
>> vulnerable to injection?
> In short, my impression is, that the signature is not for the entire APK
> itself, but for the dex, resources, etc inside of it. How else would you
> insert the signature itself inside the APK?
> 
> Of course, that may have only been the way it worked before this was
> considered a vulnerability, but let's find out!
> 
> Otherwise, we do have the capability with Bazaar of re-signing apps on
> the device itself.
> 
> +n

This is an old system.  APKs use the standard jar signing method.  Things in
the META-INF folder in the jar/apk are not executed.  It is this oddness
though that allowed the master key bug to exist.

In any case, I don't think Android will change how they sign APKs, the jar
technique is much too entrenched.

.hc

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 969 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140325/39032a32/attachment.pgp>


More information about the Guardian-dev mailing list