Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

+ - Code Released To Exploit Android App Signature Vulnerability->

Submitted by chicksdaddy
chicksdaddy (814965) writes "A security researcher has published what he claims is a proof of concept program that exploits a security hole that affects almost all Android mobile devices in use today.

Pau Oliva Fora, a security researcher for the firm Via Forensics, published a small, proof of concept module on GitHub (https://gist.github.com/poliva/36b0795ab79ad6f14fd8) that exploits the flaw in the way Android verifies the authenticity of signed mobile applications. The flaw was first disclosed last week by Jeff Forristal, the Chief Technology Officer at Bluebox Security, ahead of a presentation at the Black Hat Briefings in August. (https://securityledger.com/2013/07/flaw-leaves-900m-android-devices-vulnerable/). It affects versions of Android going back four years.

The simple program leverages APKTool, a common, open source tool for reverse engineering Android applications – decompiling and then recompiling their contents. His script allows a user to select and then decompile a legitimate Android application and then recompile it, creating an altered, “malicious” APK that will have the same, cryptographic signature as the original file. In an e-mail statement, Google said that a patch for Forristal’s vulnerability was provided to Google’s OEM (original equipment manufacturer) and carrier partners in March, and that some (Samsung) have already shipping a patched version of Android to customers. However, that response hasn't been universal — a reflection of Android's fragmented install base. (https://securityledger.com/2013/03/android-ecosystem-still-fragmented-insecure/)"

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Code Released To Exploit Android App Signature Vulnerability

Comments Filter:

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Working...