Today i read this article http://www.bluebox.com/blog/technical/android-fake-id-vulnerability/ stating that application signing is basically broken. But as far as i understand the article the author is wrong in many assumptions as i believe, but i did not seen his complete presentation yet, which will be released at blackhat.
The Author speaks from PKI and Chain of Trust - but as far as i know this was never planed to be used on android. As far as i understand the concept of code signing on android, it is just a bit-per-bit compare of certificate files to ensure that the app is allowed to do things. While on installation the signatures are checked too, to ensure that the developer really signed the application. Also it is stated, that if you put in another certificate into your app, you can impersonate other apps. I do not think this is possible either because all certificates are checked not only a subset of them. Also without having the private key, you could not sign your application - so it would not even install. I do not understand what is the problem here? Does anyone have more information? regards -sebastian -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
