Forgot your password?
typodupeerror

+ - Code Released To Exploit Android App Signature Vulnerability->

Submitted by chicksdaddy
chicksdaddy (814965) writes "A security researcher has published what he claims is a proof of concept program that exploits a security hole that affects almost all Android mobile devices in use today.

Pau Oliva Fora, a security researcher for the firm Via Forensics, published a small, proof of concept module on GitHub (https://gist.github.com/poliva/36b0795ab79ad6f14fd8) that exploits the flaw in the way Android verifies the authenticity of signed mobile applications. The flaw was first disclosed last week by Jeff Forristal, the Chief Technology Officer at Bluebox Security, ahead of a presentation at the Black Hat Briefings in August. (https://securityledger.com/2013/07/flaw-leaves-900m-android-devices-vulnerable/). It affects versions of Android going back four years.

The simple program leverages APKTool, a common, open source tool for reverse engineering Android applications – decompiling and then recompiling their contents. His script allows a user to select and then decompile a legitimate Android application and then recompile it, creating an altered, “malicious” APK that will have the same, cryptographic signature as the original file. In an e-mail statement, Google said that a patch for Forristal’s vulnerability was provided to Google’s OEM (original equipment manufacturer) and carrier partners in March, and that some (Samsung) have already shipping a patched version of Android to customers. However, that response hasn't been universal — a reflection of Android's fragmented install base. (https://securityledger.com/2013/03/android-ecosystem-still-fragmented-insecure/)"

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Code Released To Exploit Android App Signature Vulnerability

Comments Filter:

This is an unauthorized cybernetic announcement.

Working...