The proof of concept was not as you word it. The basic idea was that they used an app as the vessel for their malicious payload. First off you need to understand how apps get onto your phone. For starters applications are not downloaded by the market app, the market app (back then anyways) would send off a notice to googles servers. Androids themselves use a gtalk service, which google has leveraged in the past to delete "bad" apps from peoples phone, to install the application on your phone by sending your phone a hidden message, install asset, that gtalk picks up at which point the phone pulls down the application.
The presentation circumvented the requirement for a user to approve the permissions as part of the market app by pulling a special token included in its messages to google and simply sending the message itself. Google then itself then installed the market application without the users permission. This disconnect between the market app and the installing service was what was exploited. On Tue, Feb 1, 2011 at 5:18 AM, perumal316 <[email protected]> wrote: > Hi, > > So the flaw has been solved? Was it through an OS update? > > From what is mentioned, user starts the marketplace, search for app, > click install, Permissions are showed and once approved the app will > be downloaded into the phone. > > So if I am not wrong their app is able to bypass the approving > permission portion over at the marketplace by "stealing the service > token". > > This is what I am unsure about. How can this be done in the SDK? > > AccountManager is a centralized registry of the user's online > accounts. See: > > http://developer.android.com/reference/android/accounts/AccountManager.html > > Not sure how the AccountManager Class in this case is used to bypass > the permissions. > > Regards, > Perumal > > On Feb 1, 12:03 pm, Zach Lanier <[email protected]> wrote: > > Perumal, > > > > Yes, the permission approval bypass mentioned therein was feasible, and > > was actually turned into a proof-of-concept as a fake Angry Birds > > expansion level pack. > > > > The flaw that was leveraged here was -fixed- back in November, IIRC, > > when the PoC was first released. > > > > -- > > Zach Lanier |http://n0where.org/| <http://n0where.org/%7C> (617) > 606-3451 > > FP: 910C F529 6947 518F 367F C21C A0A5 B9D2 46FB 1F89 > > > > On 20110131 22:35 , perumal316 wrote: > > > > > > > > > Hi All, > > > > > Can the Android model of displaying the permissions required for an > > > particular application be bypassed? > > > > > Read this article recently at: > > > > >http://www.csoonline.com/article/659764/shmoocon-2011-your-android-s-. > .. > > > > > It is mentioned in the article that: > > > "They were able to bypass the permission approval process and steal > > > the authentication token from the Android AccountManager." > > > > > Is this feasible? Does this means, prior to installation not all > > > permissions will be shown to users? Or an application will be > > > downloaded and installed in the background without user's awareness? > > > > > Thanks In Advance, > > > Perumal- Hide quoted text - > > > > - Show quoted text - > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<android-security-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
