[Dailydave] Android Attacks Slides

Moxie Marlinspike moxie at thoughtcrime.org
Thu Apr 5 22:56:08 EDT 2012


On 04/05/2012 03:06 PM, r3dRAND wrote:
> Does that imply that if an app requests a non-existent permission,
> say, "TELEPATHY_SEND_RCV", then it will be silently accepted. Then,
> if Android 6 supports that permission and the user upgrades the OS,
> the app would execute with that permission w/o any confirmation?

Yes, there's even a comment in the PackageManagerService class source
where the author muses that this is possible, and notes that they should
potentially do something about that at some point.  I'm not sure whether
that's better or worse than simply overlooking it completely.  =)

Of course, this is the same security-critical class that has a 400 line
constructor, which alone contains the word "hack" three times.

- moxie

-- 
http://www.thoughtcrime.org


More information about the Dailydave mailing list