Hi Keith, I agree it poses a risk to leave the debug flag active in a release app, however, the fact that you cannot exploit this issue from within a separate app on recent Android versions somewhat reduces the impact since physical access to the device would be required.
You may have misunderstood what I mentioned on my previous email: "Well, I was only pointing out the technique Saurik uses to take control over the debuggable app from within a established JDWP session, that's nothing to do with the root exploit itself and should work for any debuggable app provided you are granted permission to debug it, I understand this is not a security issue, it's just obvious that someone who's granted debugging privileges would likely be able to take control over what he is debugging." I just meant that once you are granted debug access to something it's obvious you can take control over it, and that's not an actual security issue in itself, but rather the fact that you got "unauthorized" access to that particular debug channel. Cheers, Mario On 2 September 2013 10:53, Keith Makan <k3170ma...@gmail.com> wrote: > PS : > http://blog.trendmicro.com/trendlabs-security-intelligence/the-issues-surrounding-android-debugging/ > > On Thursday, August 29, 2013 1:10:11 PM UTC+2, Keith Makan wrote: > >> >> I'm largely familiar with risk around publishing a de-buggable app to the >> market, >> it basically breaks down to an attacker being able to perform remote code >> execution >> and leak the values of private and internal fields from the object >> instances and static fields. >> >> *My questions is,* does anyone know to exploit a debuggable app to >> uncontrolled achieve code exec? >> >> Regards >> > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to android-security-discuss+unsubscr...@googlegroups.com. > To post to this group, send email to > android-security-discuss@googlegroups.com. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
