Yes it is fixed. This was not a platform change, so it wasn't fixed in a platform version, but in Market.
On Tue, Feb 1, 2011 at 6:29 PM, perumal316 <[email protected]> wrote: > Hi Dianne, > > Thus granting third party app access to the market auth token through > the AccountManager has been disabled. (Am I correct?) > > And the fix has already been implemented for Android 2.1-2.3? > > Regards, > Perumal > > > On Feb 2, 1:53 am, Dianne Hackborn <[email protected]> wrote: > > And note there was actually an approval you did need to go through, after > > installing the app -- granting the app access to the market auth token. > > Unfortunately on top of this not really being something third party apps > > should be able to access, the wording of that approval was poor, not > making > > it clear what it would allow the app to do. > > > > The fix for this was actually on the server and Market (blocking third > party > > apps from using this auth token), so no OS update was needed. > > > > > > > > > > > > On Tue, Feb 1, 2011 at 6:58 AM, Patrick Vicens <[email protected]> > wrote: > > > The proof of concept was not as you word it. The basic idea was that > they > > > used an app as the vessel for their malicious payload. First off you > need > > > to understand how apps get onto your phone. For starters applications > are > > > not downloaded by the market app, the market app (back then anyways) > would > > > send off a notice to googles servers. Androids themselves use a gtalk > > > service, which google has leveraged in the past to delete "bad" apps > from > > > peoples phone, to install the application on your phone by sending your > > > phone a hidden message, install asset, that gtalk picks up at which > point > > > the phone pulls down the application. > > > > > The presentation circumvented the requirement for a user to approve the > > > permissions as part of the market app by pulling a special token > included in > > > its messages to google and simply sending the message itself. Google > then > > > itself then installed the market application without the users > permission. > > > This disconnect between the market app and the installing service was > what > > > was exploited. > > > > > On Tue, Feb 1, 2011 at 5:18 AM, perumal316 <[email protected]> > wrote: > > > > >> Hi, > > > > >> So the flaw has been solved? Was it through an OS update? > > > > >> From what is mentioned, user starts the marketplace, search for app, > > >> click install, Permissions are showed and once approved the app will > > >> be downloaded into the phone. > > > > >> So if I am not wrong their app is able to bypass the approving > > >> permission portion over at the marketplace by "stealing the service > > >> token". > > > > >> This is what I am unsure about. How can this be done in the SDK? > > > > >> AccountManager is a centralized registry of the user's online > > >> accounts. See: > > > > >>http://developer.android.com/reference/android/accounts/AccountManage. > .. > > > > >> Not sure how the AccountManager Class in this case is used to bypass > > >> the permissions. > > > > >> Regards, > > >> Perumal > > > > >> On Feb 1, 12:03 pm, Zach Lanier <[email protected]> wrote: > > >> > Perumal, > > > > >> > Yes, the permission approval bypass mentioned therein was feasible, > and > > >> > was actually turned into a proof-of-concept as a fake Angry Birds > > >> > expansion level pack. > > > > >> > The flaw that was leveraged here was -fixed- back in November, IIRC, > > >> > when the PoC was first released. > > > > >> > -- > > >> > Zach Lanier |http://n0where.org/|<http://n0where.org/%7C> (617) > > >> 606-3451 > > >> > FP: 910C F529 6947 518F 367F C21C A0A5 B9D2 46FB 1F89 > > > > >> > On 20110131 22:35 , perumal316 wrote: > > > > >> > > Hi All, > > > > >> > > Can the Android model of displaying the permissions required for > an > > >> > > particular application be bypassed? > > > > >> > > Read this article recently at: > > > > >> > > > http://www.csoonline.com/article/659764/shmoocon-2011-your-android-s-. > > >> .. > > > > >> > > It is mentioned in the article that: > > >> > > "They were able to bypass the permission approval process and > steal > > >> > > the authentication token from the Android AccountManager." > > > > >> > > Is this feasible? Does this means, prior to installation not all > > >> > > permissions will be shown to users? Or an application will be > > >> > > downloaded and installed in the background without user's > awareness? > > > > >> > > Thanks In Advance, > > >> > > Perumal- Hide quoted text - > > > > >> > - Show quoted text - > > > > >> -- > > >> You received this message because you are subscribed to the Google > Groups > > >> "Android Security Discussions" group. > > >> To post to this group, send email to > > >> [email protected]. > > >> To unsubscribe from this group, send email to > > >> [email protected]<android-security-discuss%[email protected]> > <android-security-discĀuss%[email protected]<uss%[email protected]> > > > > >> . > > >> For more options, visit this group at > > >>http://groups.google.com/group/android-security-discuss?hl=en. > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Android Security Discussions" group. > > > To post to this group, send email to > > > [email protected]. > > > To unsubscribe from this group, send email to > > > [email protected]<android-security-discuss%[email protected]> > <android-security-discĀuss%[email protected]<uss%[email protected]> > > > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/android-security-discuss?hl=en. > > > > -- > > Dianne Hackborn > > Android framework engineer > > [email protected] > > > > Note: please don't send private questions to me, as I don't have time to > > provide private support, and so won't reply to such e-mails. All such > > questions should be posted on public forums, where I and others can see > and > > answer them.- Hide quoted text - > > > > - Show quoted text - > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<android-security-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
