On Thu, Aug 26, 2010 at 10:18 AM, Tauren <[email protected]> wrote: > IT is entirely possible to hide things in an App. In fact it has > already been proven as seen by a 16 year old (I believe) hiding a > tether inside of a flashlight app. This year a sample rootkit was > disclosed at a well known security convention for an android that if > it made it onto a phone could easily allow command and control of the > phones functions.
If you're talking about the Spider Labs presentation at Black Hat, I believe that was just a port of some malware to Android, and YOU NEEDED TO HAVE ROOT TO INSTALL IT. Am I missing something? If I have root on a unix box, then that itself is check-mate. I don't know how that even got into Black Hat (the real 'malware' mystery, IMO). http://www.theregister.co.uk/2010/08/03/android_malware/ > Apps are thoroughly reviewed (supposedly) and > request what kind of permissions are in use. Sandboxing is not > unbeatable as proven by existing exploits, for example the Iphones > jail break me escaped the sandbox of the browser after a PDF was > rendered and used a kernel vulnerability to run its "jail break code" > this could easily have been "Pwn me" code and it would have been done > with. There will always be the potential for (fixable) security holes in the sandbox, but IMO it is a huge step up from the current level of laptop/desktop security. Any AVAS code for Android would have an empty or nearly empty DAT file :-). For me, the scariest thing I've ever seen was the unauthenticated daemon running on the original Sprint EVO load: it would let anyone get a root shell on your device! > > On Aug 24, 10:37 am, Eric Dorman <[email protected]> wrote: >> Hello, >> >> I have been investigating the Android Developer Guide and while I was >> looking through it I had an idea that maybe there is a possible >> security flaw that applications could exploit called a backdoor. >> >> I have not looked into this a lot,but I was just wondering if it is >> possible that an attacker could run this type of security flaw inside >> his app on an Android powered device? >> >> However sandboxing is a good security technique to have in the Android >> OS so this security flaw is probably rather low. >> >> Thanks & God Bless, >> Eric > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
