An interesting Android package verification vulnerability
[Security] Posted Jul 3, 2013 21:46 UTC (Wed) by corbet
Bluebox Security claims
to have found a way to modify code contained within an Android application
package without breaking the associated cryptographic signature.
"All Android applications contain cryptographic signatures, which
Android uses to determine if the app is legitimate and to verify that the
app hasn’t been tampered with or modified. This vulnerability makes it
possible to change an application’s code without affecting the
cryptographic signature of the application – essentially allowing a
malicious author to trick Android into believing the app is unchanged even
if it has been." The problem was evidently disclosed to Google in
February; details are promised at the Black Hat USA
conference starting July 27.
Comments (2 posted)