Saturday, July 6, 2013

Android's code signature can be circumvented - Heise Newsticker

Android applications are provided with a signature to ensure the integrity of the APK package. During installation, the operating system checks the contents against the signature and warns you if it detects a manipulation. The only U.S. company founded in mid-2012 Bluebox wants to have discovered an error in this method, which enables the infiltration of arbitrary code in APK files without breaking the signature. According Bluebox are apps in Google’s Android Store “Play” not affected by the vulnerability.

details on the reported error on Google in February 2013, the company intends 8,219,321 on 1 August 2013 to announce the Black Hat conference. He is since Android 1.6 (Donut) exist, which appeared about four years ago. The correction including only two lines. So far, according to the Australian CIO website only provided an update for its Samsung Galaxy S4 closes the gap. Google wants the open source version of Android soon fixed.

Especially dangerous is the gap in conjunction with software from the manufacturers of such equipment. They have higher privileges than normal apps, so the manipulation of such an APK package an attacker confers any rights on the device. However, he would have to have access to these files. Proof of the error is the screenshot of a rigged system app: now in the version number of the baseband software inserts the string “blue box” appears


is not clear whether the issue affects pre-installed software, the attacker pushes a fake update with seemingly correct signature or whether it is the first installation of a program. (ck)

No comments:

Post a Comment