Hi, So the flaw has been solved? Was it through an OS update?
>From what is mentioned, user starts the marketplace, search for app, click install, Permissions are showed and once approved the app will be downloaded into the phone. So if I am not wrong their app is able to bypass the approving permission portion over at the marketplace by "stealing the service token". This is what I am unsure about. How can this be done in the SDK? AccountManager is a centralized registry of the user's online accounts. See: http://developer.android.com/reference/android/accounts/AccountManager.html Not sure how the AccountManager Class in this case is used to bypass the permissions. Regards, Perumal On Feb 1, 12:03 pm, Zach Lanier <[email protected]> wrote: > Perumal, > > Yes, the permission approval bypass mentioned therein was feasible, and > was actually turned into a proof-of-concept as a fake Angry Birds > expansion level pack. > > The flaw that was leveraged here was -fixed- back in November, IIRC, > when the PoC was first released. > > -- > Zach Lanier |http://n0where.org/| (617) 606-3451 > FP: 910C F529 6947 518F 367F C21C A0A5 B9D2 46FB 1F89 > > On 20110131 22:35 , perumal316 wrote: > > > > > Hi All, > > > Can the Android model of displaying the permissions required for an > > particular application be bypassed? > > > Read this article recently at: > > >http://www.csoonline.com/article/659764/shmoocon-2011-your-android-s-... > > > It is mentioned in the article that: > > "They were able to bypass the permission approval process and steal > > the authentication token from the Android AccountManager." > > > Is this feasible? Does this means, prior to installation not all > > permissions will be shown to users? Or an application will be > > downloaded and installed in the background without user's awareness? > > > Thanks In Advance, > > Perumal- Hide quoted text - > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
