On Tue, Aug 5, 2014 at 12:37 PM, Dinesh Garg <[email protected]> wrote: > Hi, > I have couple of questions w.r.t. SEAndroid & Android Apps but before that I > would explain a little bit: > > Android apps are signed with a key depending upon apps category i.e. > platform app or system app or and so on. Depending upon that it would be > assigned a seinfo tag which would be utilized by zygote to assign a context > to app. > > Now if there is a vulnerability by which an application can be installed as > system, rogue app would be assigned seinfo as system or platform. Hence > rogue app can execute all privileged operations. > > This is possible because if a user update a privileged app from Google play > or some other OEMs provided stores which would install app in /data.
Yes a system/platform/... signed app is updatable via a normal install and not OTA, thus it ends up on /data like anyother app. However, the apk is still signed with that key. > > > First Q: is my above understanding correct? > Second Q: if yes, how can we mitigate this vulnerability? > Third Q: is it possible that someone can replace the certificates those are > used to verify the platform apps? if yes, rogue person can replace the > verifying certs and install the modified apps which would get required > permissions to execute privileged operations. Their is no vulnerability in the design of the installation of APKs. A system signed app is a system signed app irregardless of the installation location. The private key used to sign the platform is used to verify whether or not the apk is system. However, this doesn;t mean the install processes is 100% secure. We have seen, recently, an exploit that targeted the signing process and duplicate entries in a the zip file format to overwite class files in a properly signed apk. Remember apk's are just zip's. So I don't see a security issue per se in the installation process of system signed apks. > > Thanks, > Dinesh > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. -- Respectfully, William C Roberts _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
