On Wed, Jul 30, 2014 at 4:58 AM, reox <[email protected]> wrote: > ... > > I do not understand what is the problem here? Does anyone have more > information? Taking from the 4th paragraph under "How It Works":
<quote> The Android package installer makes no attempt to verify the authenticity of a certificate chain; in other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim </quote> *If* I am reading the 4th paragraph correctly, it appears (and using Adobe as an example): The app is using a certificate that is *not* self-signed. The app's certificate has an Issuer Distinguished Name of Adobe. However, the system does not verify Adobe actually issued the app's certificate The verification system is just performing a string comparison of the distinguished names. Actually, that is the case. From the 6th paragraph: <quote> ... instead defaulting to simple subjectDN to issuerDN string matching </quote> To summarize, signature verification on the chain is not being performed. Rather, a simpler [insecure] algorithm is used that consists of Distinguished Name matching. I attached an image that shows the relationship between Issuers and Subjects. It was ripped from Peter Gutmann's Engineering Security book (https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf). It should help you visualize what's going on. That's another good find by Forristal. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
