It appears you have not yet registered with our community. To register please click here...

 
Go Back [M] > Madshrimps > WebNews
Hole found in Android code base Hole found in Android code base
FAQ Members List Calendar Search Today's Posts Mark Forums Read


Hole found in Android code base
Reply
 
Thread Tools
Old 5th July 2013, 07:48   #1
[M] Reviewer
 
Stefan Mileschin's Avatar
 
Join Date: May 2010
Location: Romania
Posts: 148,055
Stefan Mileschin Freshly Registered
Default Hole found in Android code base

The Android code has a hole that allows a hacker to modify a digitally signed Android application package file and not break its cryptographic signature which would normally set off a red flag that something is amiss.

Security experts at Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas next month.

Some handset vendors have patched the problem and Google will release a patch to the Android Open Source Project (AOSP).

Bluebox chief technology officer Jeff Forristal said that the vulnerability affects multiple generations of Android devices for the last four years. Nearly 900 million devices are potentially affected.

The best case scenario is that an Android device would be jailbroken, but it is possible for an attacker to inject a legitimate application with malware that could enable the attacker to read corporate data such as email, make phone calls, send SMS messages, or even retrieve passwords and account information.

Normally applications are digitally signed to establish or confirm the identity of the developer and the signatures also ensure that any future updates are issued only by the application's developer.

However, Forristal claims this can be done by not breaking the signature. This makes it possible to update any application on a phone and get access to data.

Applications developed and pre-installed by handset manufacturers that are platform-signed are granted system level access, one layer away from root access.

This means that if you can get your hands on a platform-issued application, you can get full access to the system and that includes applications, accounts, passwords—everything the OS is in charge of handling.

Forristal told Threatpost that the fix is relatively painless and involves two lines of code in a very specific location. It requires a firmware update to the device, but fixing the bug is simple. It's more complicated to issue a firmware update.

http://news.techeye.net/security/hol...roid-code-base
Stefan Mileschin is offline   Reply With Quote
Reply


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bluebox reveals Android security hole Stefan Mileschin WebNews 0 4th July 2013 09:06
Google APK source code offers glimpse of possible Android game framework Stefan Mileschin WebNews 0 19th April 2013 08:49
New Security Hole Found in Wi-Fi Routers: Disable UPnP to Protect Yourself Stefan Mileschin WebNews 0 31st January 2013 08:48
Android 4.1 Jelly Bean proven carrying rough but working code for multi-user support Stefan Mileschin WebNews 0 6th August 2012 08:44
Google: Ice Cream Sandwich now accounts for 7.1 percent of Android user base Stefan Mileschin WebNews 0 4th June 2012 09:21
Major Privacy Flaw Found in Dolphin HD Browser for Android Stefan Mileschin WebNews 0 31st October 2011 09:03
Huge Hole in Open Source Software Found, Leaves Millions Vulnerable jmke WebNews 1 23rd May 2008 23:40
Huge Security Hole Found in Symantec Antivirus Software jmke WebNews 0 27th May 2006 15:42
Google Base: All your base are, in fact, belong to us jmke WebNews 0 25th October 2005 23:42
Microsoft to create Xbox-PC joint code base jmke WebNews 0 1st September 2004 17:04

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


All times are GMT +1. The time now is 07:15.


Powered by vBulletin® - Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO