Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Released To Exploit Android App Signature Vulnerability

Posted by Unknown on from the blind-faith-meets-awful-shell-scripts dept.

chicksdaddy writes with news of a Proof-of-Concept exploit for the recent Android APK signature vulnerability. From the article: "Pau Oliva Fora, a security researcher for the firm Via Forensics, published a small, proof of concept module on GitHub that exploits the flaw in the way Android verifies the authenticity of signed mobile applications. The flaw was first disclosed last week by Jeff Forristal, the Chief Technology Officer at Bluebox Security, ahead of a presentation at the Black Hat Briefings in August. ... The simple program leverages APKTool, an open source tool for reverse engineering Android applications — decompiling and then recompiling their contents. His script allows a user to select and then decompile a legitimate Android application and then recompile it, creating an altered, 'malicious' APK that will have the same, cryptographic signature as the original file. In an e-mail statement, Google said that a patch for Forristal's vulnerability was provided to Google's OEM and carrier partners in March, and that some (Samsung) have already shipping a patched version of Android to customers. However, that response hasn't been universal — a reflection of Android's fragmented install base."

3 of 81 comments (clear)

  1. Re: So... by EGSonikku · · Score: 4, Informative

    Google PlayStore does NOT use https for actual downloads (check your own WiFi logs). So in theory, if you were connected to an insecure/public WiFi network someone could intercept your download request and replace it with a compromised download using available WiFi auditing tools.

    --
    - "Scientia non habet inimicum nisp ignorantem"
  2. Summary of the exploit by complete+loony · · Score: 4, Informative

    Add your exploit code to an existing apk without removing the original items, creating a zip file with duplicate entries. The original files match the signature, the duplicates are executed after installing.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  3. Re: So... by scot4875 · · Score: 4, Informative

    Isn't the magic if android the fact that you can install from third party sources?

    Sure, that's one very nice thing, but it still doesn't allow you to just be a moron and expect everything to be hunky-dory.

    TotallyFreeVersionOfSomePopularGame.apk from a site that's written in mostly Cryillic or Chinese characters? Seems legit!

    --Jeremy

    --
    Jesus was a liberal