isn't it enough to ask a simple question? i may quote it again: > I do not understand what is the problem here? Does anyone have more information?
okay, maybe it is not on this mailing list... lets expand that: Someone creates an application A with a certificate CERT_A. now someone else creates application B with CERT_B and says that CERT_B was signed by CERT_A, but in fact it is not because B does not have the private key of A. If A is installed on a system, you can install B and are granted any signature level permissions of A because the android system grants apps these rights if there is a chain of certificates available without checking the actual chain? Okay well i could now test this now, if this is the actual bug they are talking about... But why does any source i read says that trustchains are not supported etc? so if this is actually wrong, then please correct me with this wrong assumption. By the way i found the commit the author is refering: https://android.googlesource.com/platform/libcore/+log/2bc5e811a817a8c667bca4318ae98582b0ee6dc6 Am Mittwoch, 30. Juli 2014 11:43:18 UTC+2 schrieb Kristian Hermansen: > > Reading and *doing* are two different things. I highly encourage you to > *do* because many times even the best documentation does not properly > represent how a system actually works. Again, if you have questions, devise > your own experiments by DOING and if you have questions then ask RFP > directly... > > -- > Regards, > > Kristian Erik Hermansen > https://www.linkedin.com/in/kristianhermansen > On Jul 30, 2014 2:36 AM, "reox" <[email protected] <javascript:>> wrote: > >> yes, i mean i trust them that they found something. All the security >> researchers have my biggest respect, for the job they are doing. >> but, maybe i did not understand the text well enough, isnt it true that >> chains of trust are never checked on the android system, as by design? In >> the last weeks i read a lot about the android signing system and what the >> author writes there is just not what i remember to have read. >> In comparison to .jar files, where a chain of trust must be supplied >> otherwise the app is untrusted? >> But as far as i understood the signing process on android, its only >> purpose is to check if an app is allowed to overwrite another app with the >> same package name and if signature based permissions can be granted. Thats >> why it is not important to have and trustchains or PKI in place but to keep >> your private key secure (so no one else can sign apps with your key). >> >> Can someone hint me with this google bug number? I can not find a google >> bug tracker (or is it private?). >> >> Thanks! >> >> >> Am Mittwoch, 30. Juli 2014 11:11:26 UTC+2 schrieb Kristian Hermansen: >>> >>> Why would you doubt Rain Forest Puppy's research? Surely this is a >>> vulnerability if Google patched it. I'm sure you will enjoy the talk by RFP >>> as he is a well respected security researcher. I think you are not >>> understanding Android security if you don't understand the issues here, but >>> I doubt the research is embellished. RFP is not one to do so... >>> >>> -- >>> Regards, >>> >>> Kristian Erik Hermansen >>> https://www.linkedin.com/in/kristianhermansen >>> On Jul 30, 2014 1:59 AM, "reox" <[email protected]> wrote: >>> >>>> Today i read this article http://www.bluebox.com/blog/ >>>> technical/android-fake-id-vulnerability/ stating that application >>>> signing is basically broken. >>>> But as far as i understand the article the author is wrong in many >>>> assumptions as i believe, but i did not seen his complete presentation >>>> yet, >>>> which will be released at blackhat. >>>> >>>> The Author speaks from PKI and Chain of Trust - but as far as i know >>>> this was never planed to be used on android. As far as i understand the >>>> concept of code signing on android, it is just a bit-per-bit compare of >>>> certificate files to ensure that the app is allowed to do things. While on >>>> installation the signatures are checked too, to ensure that the developer >>>> really signed the application. >>>> Also it is stated, that if you put in another certificate into your >>>> app, you can impersonate other apps. I do not think this is possible >>>> either >>>> because all certificates are checked not only a subset of them. >>>> Also without having the private key, you could not sign your >>>> application - so it would not even install. >>>> >>>> I do not understand what is the problem here? Does anyone have more >>>> information? >>>> >>>> regards >>>> -sebastian >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Android Security Discussions" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> Visit this group at http://groups.google.com/ >>>> group/android-security-discuss. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at >> http://groups.google.com/group/android-security-discuss. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
