Hi Dianne, Thanks for the info.
Regards, Perumal On Feb 2, 11:07 am, Dianne Hackborn <[email protected]> wrote: > Yes it is fixed. This was not a platform change, so it wasn't fixed in a > platform version, but in Market. > > > > > > On Tue, Feb 1, 2011 at 6:29 PM, perumal316 <[email protected]> wrote: > > Hi Dianne, > > > Thus granting third party app access to the market auth token through > > the AccountManager has been disabled. (Am I correct?) > > > And the fix has already been implemented for Android 2.1-2.3? > > > Regards, > > Perumal > > > On Feb 2, 1:53 am, Dianne Hackborn <[email protected]> wrote: > > > And note there was actually an approval you did need to go through, after > > > installing the app -- granting the app access to the market auth token. > > > Unfortunately on top of this not really being something third party apps > > > should be able to access, the wording of that approval was poor, not > > making > > > it clear what it would allow the app to do. > > > > The fix for this was actually on the server and Market (blocking third > > party > > > apps from using this auth token), so no OS update was needed. > > > > On Tue, Feb 1, 2011 at 6:58 AM, Patrick Vicens <[email protected]> > > wrote: > > > > The proof of concept was not as you word it. The basic idea was that > > they > > > > used an app as the vessel for their malicious payload. First off you > > need > > > > to understand how apps get onto your phone. For starters applications > > are > > > > not downloaded by the market app, the market app (back then anyways) > > would > > > > send off a notice to googles servers. Androids themselves use a gtalk > > > > service, which google has leveraged in the past to delete "bad" apps > > from > > > > peoples phone, to install the application on your phone by sending your > > > > phone a hidden message, install asset, that gtalk picks up at which > > point > > > > the phone pulls down the application. > > > > > The presentation circumvented the requirement for a user to approve the > > > > permissions as part of the market app by pulling a special token > > included in > > > > its messages to google and simply sending the message itself. Google > > then > > > > itself then installed the market application without the users > > permission. > > > > This disconnect between the market app and the installing service was > > what > > > > was exploited. > > > > > On Tue, Feb 1, 2011 at 5:18 AM, perumal316 <[email protected]> > > wrote: > > > > >> Hi, > > > > >> So the flaw has been solved? Was it through an OS update? > > > > >> From what is mentioned, user starts the marketplace, search for app, > > > >> click install, Permissions are showed and once approved the app will > > > >> be downloaded into the phone. > > > > >> So if I am not wrong their app is able to bypass the approving > > > >> permission portion over at the marketplace by "stealing the service > > > >> token". > > > > >> This is what I am unsure about. How can this be done in the SDK? > > > > >> AccountManager is a centralized registry of the user's online > > > >> accounts. See: > > > > >>http://developer.android.com/reference/android/accounts/AccountManage. > > .. > > > > >> Not sure how the AccountManager Class in this case is used to bypass > > > >> the permissions. > > > > >> Regards, > > > >> Perumal > > > > >> On Feb 1, 12:03 pm, Zach Lanier <[email protected]> wrote: > > > >> > Perumal, > > > > >> > Yes, the permission approval bypass mentioned therein was feasible, > > and > > > >> > was actually turned into a proof-of-concept as a fake Angry Birds > > > >> > expansion level pack. > > > > >> > The flaw that was leveraged here was -fixed- back in November, IIRC, > > > >> > when the PoC was first released. > > > > >> > -- > > > >> > Zach Lanier |http://n0where.org/|<http://n0where.org/%7C> (617) > > > >> 606-3451 > > > >> > FP: 910C F529 6947 518F 367F C21C A0A5 B9D2 46FB 1F89 > > > > >> > On 20110131 22:35 , perumal316 wrote: > > > > >> > > Hi All, > > > > >> > > Can the Android model of displaying the permissions required for > > an > > > >> > > particular application be bypassed? > > > > >> > > Read this article recently at: > > >http://www.csoonline.com/article/659764/shmoocon-2011-your-android-s-. > > > >> .. > > > > >> > > It is mentioned in the article that: > > > >> > > "They were able to bypass the permission approval process and > > steal > > > >> > > the authentication token from the Android AccountManager." > > > > >> > > Is this feasible? Does this means, prior to installation not all > > > >> > > permissions will be shown to users? Or an application will be > > > >> > > downloaded and installed in the background without user's > > awareness? > > > > >> > > Thanks In Advance, > > > >> > > Perumal- Hide quoted text - > > > > >> > - Show quoted text - > > > > >> -- > > > >> You received this message because you are subscribed to the Google > > Groups > > > >> "Android Security Discussions" group. > > > >> To post to this group, send email to > > > >> [email protected]. > > > >> To unsubscribe from this group, send email to > > > >> [email protected]<android-security-discuss%[email protected]> > > <android-security-discuss%[email protected]<uss%252Bunsubscri[email protected]> > > > > >> . > > > >> For more options, visit this group at > > > >>http://groups.google.com/group/android-security-discuss?hl=en. > > > > > -- > > > > You received this message because you are subscribed to the Google > > Groups > > > > "Android Security Discussions" group. > > > > To post to this group, send email to > > > > [email protected]. > > > > To unsubscribe from this group, send email to > > > > [email protected]<android-security-discuss%[email protected]> > > <android-security-discuss%[email protected]<uss%252Bunsubscri[email protected]> > > > > > . > > > > For more options, visit this group at > > > >http://groups.google.com/group/android-security-discuss?hl=en. > > > > -- > > > Dianne Hackborn > > > Android framework engineer > > > [email protected] > > > > Note: please don't send private questions to me, as I don't have time to > > > provide private support, and so won't reply to such e-mails. All such > > > questions should be posted on public forums, where I and others can see > > and > > > answer them.- Hide quoted text - > > > > - Show quoted text - > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To post to this group, send email to > > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<android-security-discuss%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/android-security-discuss?hl=en. > > -- > Dianne Hackborn > Android framework engineer > [email protected] > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them.- Hide quoted text - > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
