LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

An interesting Android package verification vulnerability

[Posted July 3, 2013 by corbet]

Bluebox Security claims to have found a way to modify code contained within an Android application package without breaking the associated cryptographic signature. "All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been." The problem was evidently disclosed to Google in February; details are promised at the Black Hat USA conference starting July 27.
(Log in to post comments)

An interesting Android package verification vulnerability

Posted Jul 5, 2013 17:33 UTC (Fri) by kfazz (guest, #91727) [Link]

it's possible to extract, decompile, modify and reinject the resources out of an apk without changing the signature. i've used this to turn off carrier tether locks. and i've heard the odex files are unsigned bytecode. But if you have write access to the system partition it's pretty much a moot point. the most you would gain would be getting your modified or malicious app to run as a shared user that you don't have the private key for. it's easier to just resign all the apks on the device.

An interesting Android package verification vulnerability

Posted Jul 5, 2013 20:18 UTC (Fri) by derobert (subscriber, #89569) [Link]

We don't have the full details yet, but I think the point is that while sure, you can do stuff like this on your own rooted device, the vulnerability is that you can make and distribute a modified APK.

So, you could hypothetically make a modified APK for a system app, and distribute that. You might be able to use that for good (e.g., easy root method for people who want to root locked devices) or evil (trick people into installing it, pretending it is a leaked update for the system app).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds