Bah. Forgot that a reply doesn't go to the list. See below. ---------- Forwarded message ---------- From: Joman Chu <joman...@gmail.com> Date: Mon, Nov 5, 2012 at 6:46 PM Subject: Re: [android-security-discuss] Recently discovered Smishing (sms phishing) Vulnerability in Multiple Android Platforms (Gingerbread, ICS, JellyBean) To: "Hannes K." <h.dampf201...@googlemail.com>
Some proof of concept exploit code exists here https://github.com/thomascannon/android-sms-spoof I haven't yet seen the official Google patch to fix the bug, so I can't say for sure where the problem is. But I think the problem is here: https://github.com/android/platform_packages_apps_mms/blob/master/AndroidManifest.xml#L53 As you can see, SmsReceiverService is exported without any permission checks specified in the AndroidManifest. Further, there are no permission checks inside the ServiceHandler that handles the incoming Intent. That code is here: https://github.com/android/platform_packages_apps_mms/blob/master/src/com/android/mms/transaction/SmsReceiverService.java On Mon, Nov 5, 2012 at 6:18 PM, Hannes K. <h.dampf201...@googlemail.com> wrote: > Regarding Prof. Xuxian Jiang's research > > there seems to be a security flaw which can be used for SMISHING and it > affects a broad range of Android versions. > > I am curious what the source of this leak is and I am wondering if someone > out there has a clue how they got it work. > I am new to android-security and I don't want to build a malicous app!! > (I just got thrown into an android security project at the Uni) > > I hope to get the ball rolling for a technical discussion. > > Cheers > Hannes > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/sQHa-0nizTkJ. > To post to this group, send email to > android-security-discuss@googlegroups.com. > To unsubscribe from this group, send email to > android-security-discuss+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
