This tantilising and makes me want to work out what the problem is pre-Blackhat. Looking at JAR signing in general (which is what Android packages are) I see a few possible flaws:<p>* The zip format doesn't structurally guarantee uniqueness of names in file entries. If the APK signature verification chooses the first matching file entry for a given name, and unpacking chooses the last then you're screwed in the way described.<p>* The JAR signing scheme signs a file containing hashes of file name/data hash pairs. However, there seems no part of the verification steps (in the JAR specification) where <i>extra</i> files not mentioned in the signed data cause signature rejection. This seems like a bad idea.<p>From the description, though, it sounds like a key management problem. Anyway, this talk is definitely on my Blackhat schedule!
Maybe I'm missing something, but I don't see this security bug could be used against a majority of people. Can someone explain to me how this exploit could be used against people?<p>To me, it seems like someone would have to side-load an application. Anything coming from the Play store should be safe?
Is it my imagination or is 5 months a very short disclosure window for a vulnerability that affects Androids since Donut?<p>I think about how manufacturers drag their feet on normal updates and can't imagine what heaven and earth movement would be required to patch this industry wide.<p>Then again, maybe the attack surface for this is small enough that it's manageable.
If I'm reading this correctly, this hack would potentially allow a standard app developer to create an app that has elevated permissions and thereby be able to access and transmit any data on the phone.<p>The story also says that this hack could be used to send text messages and other communications. In the wrong hands this could be a devastating financial and social exploit.
This is really one of those news that just seems to be bought by Android's competitors.<p>The user has to install a pirated APK. Also Play store is SSL secured. Just use common sense.
I don't get why root access is so much worse than any other problem:<p>1. Apps like Skype already allow themselves access to so much sensitive and private information and things like the Motorola spyware uncovered recently (<a href="https://news.ycombinator.com/item?id=5973282" rel="nofollow">https://news.ycombinator.com/item?id=5973282</a> ) are so bad that I find the extra evilness possible with root access not so significant. What amount of additional harm would it really be? Intercepting network traffic? Better hidden rootkit that even hides from the few users who have jailbroken their phone?<p>2. The Linux kernel regularly has security bugs and we know that Android phone manufactures don't update devices timely or at all. Wouldn't every Android phone not have at least one exploit for the kernel itself at any given point in time? Where are the apps that just use this to gain root access? Or has Google hardened the kernel well enough that there are no known exploits by which an APK with native code doing syscalls can increase it's privileges?
Bluebox seems to be having some sporadic database connection problems. Here's the Coral Cache mirror: <a href="http://bluebox.com.nyud.net/corporate-blog/bluebox-uncovers-android-master-key/" rel="nofollow">http://bluebox.com.nyud.net/corporate-blog/bluebox-uncovers-...</a>
So, it seems, that there is some "special, less strict" way to install packages for "trusted vendors", because it is much less probable to find a major flaw in a standard jarsigner + zipalign procedure. If so, it is just another idiotic "management decision".
Looking on the bright side, this offers a wonderful new opportunity to root your phone without rooting your phone.<p>And at what point do we stop calling these sorts of problems "vulnerabilities" and start calling them surrepitious "back doors"?
There are some weird sentences in this that make it very confusing:<p>"Installation of a Trojan application from the device manufacturer"<p>Ok, so the manufacturer of the device is shipping a trojan on my device. Isn't there a bigger problem in this situation?