Perumal, Yes, the permission approval bypass mentioned therein was feasible, and was actually turned into a proof-of-concept as a fake Angry Birds expansion level pack.
The flaw that was leveraged here was -fixed- back in November, IIRC, when the PoC was first released. -- Zach Lanier | http://n0where.org/ | (617) 606-3451 FP: 910C F529 6947 518F 367F C21C A0A5 B9D2 46FB 1F89 On 20110131 22:35 , perumal316 wrote: > Hi All, > > Can the Android model of displaying the permissions required for an > particular application be bypassed? > > Read this article recently at: > > http://www.csoonline.com/article/659764/shmoocon-2011-your-android-s-dirty-little-secret > > It is mentioned in the article that: > "They were able to bypass the permission approval process and steal > the authentication token from the Android AccountManager." > > Is this feasible? Does this means, prior to installation not all > permissions will be shown to users? Or an application will be > downloaded and installed in the background without user's awareness? > > Thanks In Advance, > Perumal > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
