Hi Dianne, Thus granting third party app access to the market auth token through the AccountManager has been disabled. (Am I correct?)
And the fix has already been implemented for Android 2.1-2.3? Regards, Perumal On Feb 2, 1:53 am, Dianne Hackborn <[email protected]> wrote: > And note there was actually an approval you did need to go through, after > installing the app -- granting the app access to the market auth token. > Unfortunately on top of this not really being something third party apps > should be able to access, the wording of that approval was poor, not making > it clear what it would allow the app to do. > > The fix for this was actually on the server and Market (blocking third party > apps from using this auth token), so no OS update was needed. > > > > > > On Tue, Feb 1, 2011 at 6:58 AM, Patrick Vicens <[email protected]> wrote: > > The proof of concept was not as you word it. The basic idea was that they > > used an app as the vessel for their malicious payload. First off you need > > to understand how apps get onto your phone. For starters applications are > > not downloaded by the market app, the market app (back then anyways) would > > send off a notice to googles servers. Androids themselves use a gtalk > > service, which google has leveraged in the past to delete "bad" apps from > > peoples phone, to install the application on your phone by sending your > > phone a hidden message, install asset, that gtalk picks up at which point > > the phone pulls down the application. > > > The presentation circumvented the requirement for a user to approve the > > permissions as part of the market app by pulling a special token included in > > its messages to google and simply sending the message itself. Google then > > itself then installed the market application without the users permission. > > This disconnect between the market app and the installing service was what > > was exploited. > > > On Tue, Feb 1, 2011 at 5:18 AM, perumal316 <[email protected]> wrote: > > >> Hi, > > >> So the flaw has been solved? Was it through an OS update? > > >> From what is mentioned, user starts the marketplace, search for app, > >> click install, Permissions are showed and once approved the app will > >> be downloaded into the phone. > > >> So if I am not wrong their app is able to bypass the approving > >> permission portion over at the marketplace by "stealing the service > >> token". > > >> This is what I am unsure about. How can this be done in the SDK? > > >> AccountManager is a centralized registry of the user's online > >> accounts. See: > > >>http://developer.android.com/reference/android/accounts/AccountManage... > > >> Not sure how the AccountManager Class in this case is used to bypass > >> the permissions. > > >> Regards, > >> Perumal > > >> On Feb 1, 12:03 pm, Zach Lanier <[email protected]> wrote: > >> > Perumal, > > >> > Yes, the permission approval bypass mentioned therein was feasible, and > >> > was actually turned into a proof-of-concept as a fake Angry Birds > >> > expansion level pack. > > >> > The flaw that was leveraged here was -fixed- back in November, IIRC, > >> > when the PoC was first released. > > >> > -- > >> > Zach Lanier |http://n0where.org/|<http://n0where.org/%7C> (617) > >> 606-3451 > >> > FP: 910C F529 6947 518F 367F C21C A0A5 B9D2 46FB 1F89 > > >> > On 20110131 22:35 , perumal316 wrote: > > >> > > Hi All, > > >> > > Can the Android model of displaying the permissions required for an > >> > > particular application be bypassed? > > >> > > Read this article recently at: > > >> > >http://www.csoonline.com/article/659764/shmoocon-2011-your-android-s-. > >> .. > > >> > > It is mentioned in the article that: > >> > > "They were able to bypass the permission approval process and steal > >> > > the authentication token from the Android AccountManager." > > >> > > Is this feasible? Does this means, prior to installation not all > >> > > permissions will be shown to users? Or an application will be > >> > > downloaded and installed in the background without user's awareness? > > >> > > Thanks In Advance, > >> > > Perumal- Hide quoted text - > > >> > - Show quoted text - > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Android Security Discussions" group. > >> To post to this group, send email to > >> [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]<android-security-discuss%[email protected]> > >> . > >> For more options, visit this group at > >>http://groups.google.com/group/android-security-discuss?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To post to this group, send email to > > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<android-security-discuss%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/android-security-discuss?hl=en. > > -- > Dianne Hackborn > Android framework engineer > [email protected] > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them.- Hide quoted text - > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
