Why would you doubt Rain Forest Puppy's research? Surely this is a vulnerability if Google patched it. I'm sure you will enjoy the talk by RFP as he is a well respected security researcher. I think you are not understanding Android security if you don't understand the issues here, but I doubt the research is embellished. RFP is not one to do so...
-- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen On Jul 30, 2014 1:59 AM, "reox" <[email protected]> wrote: > Today i read this article > http://www.bluebox.com/blog/technical/android-fake-id-vulnerability/ > stating that application signing is basically broken. > But as far as i understand the article the author is wrong in many > assumptions as i believe, but i did not seen his complete presentation yet, > which will be released at blackhat. > > The Author speaks from PKI and Chain of Trust - but as far as i know this > was never planed to be used on android. As far as i understand the concept > of code signing on android, it is just a bit-per-bit compare of certificate > files to ensure that the app is allowed to do things. While on installation > the signatures are checked too, to ensure that the developer really signed > the application. > Also it is stated, that if you put in another certificate into your app, > you can impersonate other apps. I do not think this is possible either > because all certificates are checked not only a subset of them. > Also without having the private key, you could not sign your application - > so it would not even install. > > I do not understand what is the problem here? Does anyone have more > information? > > regards > -sebastian > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
