For those interested, the following research paper to be presented at ACSAC later this year discusses the problem and presents a potential solution:
Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. Semantically Rich Application-Centric Security in Android. Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), December 2009.
Regards, -Will On Sep 30, 2009, at 6:34 AM, Engineer_Shahryar wrote:
In reply to "question: can an app A (user doesn't trust much) be written that in presence of app B (user trusts this one), such that A could use Intents to make app B do some work and hence have an action performed without user's wish. e.g. there is a video recorder from the camera (app B), this is trusted by user. the app A (say merely a slideshow application but designed to fool) will say start a service that would raise an intent which would be handled by B and force it to start the cam recording and start storing on the SD card. " Answer Yes, In android its possible for an application (untrusted) to launch another application (trusted). Its a security issue on which research is going on. Regards, Mobile Security Engineer Shahryar.
-- William Enck PhD Candidate Department of Computer Science and Engineering The Pennsylvania State University [email protected]
