I'm a little confused about the mnt/asec folder and wondered if any of you had thoughts as to why what I'm seeing is the way it is.
So by my understanding, on Jelly Bean the mnt/asec folder is the location under which apps are installed when they are distributed via Google Play and when encryption of the package is performed when forward locking is turned on. Is that right? What's confusing me though, is that the mnt/asec folder has User Permissions which seem particularly weak and I don't understand why. For example the following permissions are seen on the mnt/asec folder itself and on subfolders within it (obfuscated folder / filenames where appropriate). Oh I'm using a Galaxy Nexus device with the Google Stock yakju_jzo54k Jelly Bean image just flashed onto it. drwxr-xr-x root system /mnt/asec drwxr-xr-x system system /mnt/asec/com.appdeveloper.app-1 drwxr-xr-x system system /mnt/asec/com.appdeveloper.app-1/lib -rw-r----- system u0_a60 /mnt/asec/com.appdeveloper.app-1/pkg.apk -rw-r--r-- system system /mnt/asec/com.appdeveloper.app-1/res.zip -rw-r--r-- system system /mnt/asec/com.appdeveloper.app-1/lib/ndk.so What surprised me is that world read rights are available to some of the directories and files. When located under the /data folder, these files wouldn't be viewable without taking some (all be it not impossible) action to get enough permissions to get into the folders. Here several of the files are straight away visible through any free file explorer tool downloaded from Google Play. Any ideas as to why world read is required here and what benefit it gives? Whilst I certainly appreciate that it's possible to get at this content if someone truly wants to, it surprises me that the barrier to entry has been lowered here. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/STj0EPQMRqUJ. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
