Follow Slashdot stories on Twitter


Forgot your password?

Submission + - Code Released To Exploit Android App Signature Vulnerability (

chicksdaddy writes: A security researcher has published what he claims is a proof of concept program that exploits a security hole that affects almost all Android mobile devices in use today.

Pau Oliva Fora, a security researcher for the firm Via Forensics, published a small, proof of concept module on GitHub ( that exploits the flaw in the way Android verifies the authenticity of signed mobile applications. The flaw was first disclosed last week by Jeff Forristal, the Chief Technology Officer at Bluebox Security, ahead of a presentation at the Black Hat Briefings in August. ( It affects versions of Android going back four years.

The simple program leverages APKTool, a common, open source tool for reverse engineering Android applications – decompiling and then recompiling their contents. His script allows a user to select and then decompile a legitimate Android application and then recompile it, creating an altered, “malicious” APK that will have the same, cryptographic signature as the original file. In an e-mail statement, Google said that a patch for Forristal’s vulnerability was provided to Google’s OEM (original equipment manufacturer) and carrier partners in March, and that some (Samsung) have already shipping a patched version of Android to customers. However, that response hasn't been universal — a reflection of Android's fragmented install base. (

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Code Released To Exploit Android App Signature Vulnerability

Comments Filter:

Exceptions prove the rule, and wreck the budget. -- Miller