Project

General

Profile

Actions

Issue #1023

closed

Fake ID - bug 13678484 & Master Key - bug 10148349 vulnerability

Added by My Self over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Start date:
11/06/2014
Due date:
% Done:

0%

Estimated time:
Resolution:
fixed
Device:
Grant:
Type of work:

Description

I hope it's a good idea to open a bug ticket about the forum topic: http://redmine.replicant.us/boards/9/topics/6825

Summary
Replicant seems to be vulnerable to the following two bugs

13678484 (Fake ID)
more informations (on the Readme part if you scroll down): https://github.com/Tungstwenty/FakeIDFix
AOSP patch: https://android.googlesource.com/platform/libcore/+/2bc5e811a817a8c667bca4318ae98582b0ee6dc6

10148349 (Master Key)
more informations: http://www.saurik.com/id/19
AOSP patch: https://android.googlesource.com/platform/libcore/+/8405b26

Actions #1

Updated by Denis 'GNUtoo' Carikli over 9 years ago

  • Category changed from 51 to Security
Actions #2

Updated by Denis 'GNUtoo' Carikli over 9 years ago

Does that vulnerability permits to MITM an f-droid application?
For instance if you're downloading an f-droid application trough f-droid,
and that an attacker on the network replaces it with his own while you're download it,
will Replicant/f-droid accept the application?

Or does it only permit an application to access another application's data?

Denis.

Actions #3

Updated by My Self over 9 years ago

I don't think that f-droid seems to be the main target. (I don't know, but IMHO[!] open source apps also could include malicious code, if nobody reviews it or initializes a recent code audit).
F-droid don't have to be the only way to get .apk files on your Replicant device. I've seen a lot of open source apps, which provides ready to go .apk files within the github project page for example, (and not every open source app is available in f-droid, too).

The explicit answer of your final question is within this article: https://bluebox.com/blog/technical/android-fake-id-vulnerability/
(Abridgment: apps could manipulate for example the Adobe Systems hardcoded certificate is in the AOSP webkit PluginManager class and so it could leading to a sandbox escape and insertion of malicious code, into other applications, could access NFC hardware used in secure payments, and take device administrative control without any prompt or notification provide to the user of the device).

I've kindly asked bluebox security, if they'll made their free (but proprietary) scanner tools open source, but sadly I didn't got an answer.
I checked Replicant with the <Bluebox Security Scanner> (over a Google Play .apk converter) anyway, and so I verified that Replicant is vulnerable to this two bugs.

Actions #4

Updated by Paul Kocialkowski over 9 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Everything pushed to the repositories, will be part of the next batch of images.

Actions

Also available in: Atom PDF