This doesn't answer sebastian's actual questions, but I support him in questioning research results. Fame and name are no free ticket to publish anything and especially the rest of the world blindly trust in the correctness of someone's results. Humans do make mistakes, even the famous ones! And especially, if the results are correct it is easy to argument that they actually are. Last, documents are written so that you must not do everything yourself! So, IMHO Sebastian's questions are absolutely justified!
best -Daniel On Wednesday, 30 July 2014 11:43:18 UTC+2, Kristian Hermansen wrote: > > Reading and *doing* are two different things. I highly encourage you to > *do* because many times even the best documentation does not properly > represent how a system actually works. Again, if you have questions, devise > your own experiments by DOING and if you have questions then ask RFP > directly... > > -- > Regards, > > Kristian Erik Hermansen > https://www.linkedin.com/in/kristianhermansen > On Jul 30, 2014 2:36 AM, "reox" <[email protected] <javascript:>> wrote: > >> yes, i mean i trust them that they found something. All the security >> researchers have my biggest respect, for the job they are doing. >> but, maybe i did not understand the text well enough, isnt it true that >> chains of trust are never checked on the android system, as by design? In >> the last weeks i read a lot about the android signing system and what the >> author writes there is just not what i remember to have read. >> In comparison to .jar files, where a chain of trust must be supplied >> otherwise the app is untrusted? >> But as far as i understood the signing process on android, its only >> purpose is to check if an app is allowed to overwrite another app with the >> same package name and if signature based permissions can be granted. Thats >> why it is not important to have and trustchains or PKI in place but to keep >> your private key secure (so no one else can sign apps with your key). >> >> Can someone hint me with this google bug number? I can not find a google >> bug tracker (or is it private?). >> >> Thanks! >> >> >> Am Mittwoch, 30. Juli 2014 11:11:26 UTC+2 schrieb Kristian Hermansen: >>> >>> Why would you doubt Rain Forest Puppy's research? Surely this is a >>> vulnerability if Google patched it. I'm sure you will enjoy the talk by RFP >>> as he is a well respected security researcher. I think you are not >>> understanding Android security if you don't understand the issues here, but >>> I doubt the research is embellished. RFP is not one to do so... >>> >>> -- >>> Regards, >>> >>> Kristian Erik Hermansen >>> https://www.linkedin.com/in/kristianhermansen >>> On Jul 30, 2014 1:59 AM, "reox" <[email protected]> wrote: >>> >>>> Today i read this article http://www.bluebox.com/blog/ >>>> technical/android-fake-id-vulnerability/ stating that application >>>> signing is basically broken. >>>> But as far as i understand the article the author is wrong in many >>>> assumptions as i believe, but i did not seen his complete presentation >>>> yet, >>>> which will be released at blackhat. >>>> >>>> The Author speaks from PKI and Chain of Trust - but as far as i know >>>> this was never planed to be used on android. As far as i understand the >>>> concept of code signing on android, it is just a bit-per-bit compare of >>>> certificate files to ensure that the app is allowed to do things. While on >>>> installation the signatures are checked too, to ensure that the developer >>>> really signed the application. >>>> Also it is stated, that if you put in another certificate into your >>>> app, you can impersonate other apps. I do not think this is possible >>>> either >>>> because all certificates are checked not only a subset of them. >>>> Also without having the private key, you could not sign your >>>> application - so it would not even install. >>>> >>>> I do not understand what is the problem here? Does anyone have more >>>> information? >>>> >>>> regards >>>> -sebastian >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Android Security Discussions" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> Visit this group at http://groups.google.com/ >>>> group/android-security-discuss. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at >> http://groups.google.com/group/android-security-discuss. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
