Android Update Lets Malware Bypass Digital Signature Check

msm1267 writes "A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature — an action that would normally set off a red flag that something is amiss. Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said. The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected."

Re:Looking forward to 1st August

[Jeremiah+Cornelius]

HOW can you COMPROMISE an APK file?

It USES HOSTS file!

Re:900 million is a pretty big number

And thus we dispel one of the many myths of open source. F/OSS is not bad and proprietary software is not necessarily better in any way or any of that shit but the cold hard fact is that even if you have access to the source code this sort of thing is going to happen! Nobody is reading and understanding all the code in its entirety being assured that there are no vulnerabilities or backdoors, no matter how much the fossies like to believe it.

I'm not advocating one way or the other, just sayin that whole argument about security because we have access to the sourcecode is rubbish.