And note there was actually an approval you did need to go through, after installing the app -- granting the app access to the market auth token. Unfortunately on top of this not really being something third party apps should be able to access, the wording of that approval was poor, not making it clear what it would allow the app to do.
The fix for this was actually on the server and Market (blocking third party apps from using this auth token), so no OS update was needed. On Tue, Feb 1, 2011 at 6:58 AM, Patrick Vicens <[email protected]> wrote: > The proof of concept was not as you word it. The basic idea was that they > used an app as the vessel for their malicious payload. First off you need > to understand how apps get onto your phone. For starters applications are > not downloaded by the market app, the market app (back then anyways) would > send off a notice to googles servers. Androids themselves use a gtalk > service, which google has leveraged in the past to delete "bad" apps from > peoples phone, to install the application on your phone by sending your > phone a hidden message, install asset, that gtalk picks up at which point > the phone pulls down the application. > > The presentation circumvented the requirement for a user to approve the > permissions as part of the market app by pulling a special token included in > its messages to google and simply sending the message itself. Google then > itself then installed the market application without the users permission. > This disconnect between the market app and the installing service was what > was exploited. > > On Tue, Feb 1, 2011 at 5:18 AM, perumal316 <[email protected]> wrote: > >> Hi, >> >> So the flaw has been solved? Was it through an OS update? >> >> From what is mentioned, user starts the marketplace, search for app, >> click install, Permissions are showed and once approved the app will >> be downloaded into the phone. >> >> So if I am not wrong their app is able to bypass the approving >> permission portion over at the marketplace by "stealing the service >> token". >> >> This is what I am unsure about. How can this be done in the SDK? >> >> AccountManager is a centralized registry of the user's online >> accounts. See: >> >> >> http://developer.android.com/reference/android/accounts/AccountManager.html >> >> Not sure how the AccountManager Class in this case is used to bypass >> the permissions. >> >> Regards, >> Perumal >> >> On Feb 1, 12:03 pm, Zach Lanier <[email protected]> wrote: >> > Perumal, >> > >> > Yes, the permission approval bypass mentioned therein was feasible, and >> > was actually turned into a proof-of-concept as a fake Angry Birds >> > expansion level pack. >> > >> > The flaw that was leveraged here was -fixed- back in November, IIRC, >> > when the PoC was first released. >> > >> > -- >> > Zach Lanier |http://n0where.org/| <http://n0where.org/%7C> (617) >> 606-3451 >> > FP: 910C F529 6947 518F 367F C21C A0A5 B9D2 46FB 1F89 >> > >> > On 20110131 22:35 , perumal316 wrote: >> > >> > >> > >> > > Hi All, >> > >> > > Can the Android model of displaying the permissions required for an >> > > particular application be bypassed? >> > >> > > Read this article recently at: >> > >> > >http://www.csoonline.com/article/659764/shmoocon-2011-your-android-s-. >> .. >> > >> > > It is mentioned in the article that: >> > > "They were able to bypass the permission approval process and steal >> > > the authentication token from the Android AccountManager." >> > >> > > Is this feasible? Does this means, prior to installation not all >> > > permissions will be shown to users? Or an application will be >> > > downloaded and installed in the background without user's awareness? >> > >> > > Thanks In Advance, >> > > Perumal- Hide quoted text - >> > >> > - Show quoted text - >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To post to this group, send email to >> [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<android-security-discuss%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<android-security-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
