1–1011–15

Android Exploit

From: Ken (SHIELDSIT) 4 Jul 2013 21:49
To: ALL1 of 15
40554.1
I see a bunch of noise today about a new exploit that effects pretty much all versions of Android. Can someone smart tell me if having your device encrypted would guard against this in any way?
Reply
0/0
From: ANT_THOMAS 4 Jul 2013 22:29
To: Ken (SHIELDSIT) 2 of 15
40554.2 In reply to 40554.1
I've not read much but isn't is a case of an app developer being able to change the permissions of the app without the user knowing? I could be wrong though.

I don't think I've ever really checked through what apps have access to when I install them, which I probably should do.
Reply
0/0
From: Ken (SHIELDSIT) 4 Jul 2013 23:05
To: ANT_THOMAS 3 of 15
40554.3 In reply to 40554.2
quote:
The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.


http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

Reply
0/0
From: Chris (CHRISSS) 4 Jul 2013 23:09
To: Ken (SHIELDSIT) 4 of 15
40554.4 In reply to 40554.3
I have already hacked your phone with it.
Reply
0/0
From: Ken (SHIELDSIT) 4 Jul 2013 23:17
To: Chris (CHRISSS) 5 of 15
40554.5 In reply to 40554.4
Find anything useful?  You can use it to call all your American friends if you want!  And I have unlimited data so if you want to Jim anything feel free!
Reply
0/0
From: Chris (CHRISSS) 4 Jul 2013 23:22
To: Ken (SHIELDSIT) 6 of 15
40554.6 In reply to 40554.5
I've sent emails detailing terrorist plots you intend to carry out to Al Qaeda leaders. Just waiting for the NSA to knock on your door soon.
Reply
0/0
From: Manthorp 4 Jul 2013 23:45
To: Chris (CHRISSS) 7 of 15
40554.7 In reply to 40554.6
Ken: If the Feds call you and say something bad on you, it may prove what Chrisss said are truth, you ought to be afraid of it.
EDITED: 4 Jul 2013 23:46 by MANTHORP
Reply
0/0
From: ANT_THOMAS 5 Jul 2013 00:13
To: Ken (SHIELDSIT) 8 of 15
40554.8 In reply to 40554.3
But don't you have to actually install the modified APK for that to happen?
Reply
0/0
From: Ken (SHIELDSIT) 5 Jul 2013 00:55
To: ANT_THOMAS 9 of 15
40554.9 In reply to 40554.8
Yes, but it sounds like even a modified APK still passes a hash test and can't be detected by the app store.
Reply
0/0
From: Ken (SHIELDSIT) 5 Jul 2013 00:57
To: Chris (CHRISSS) Manthorp 10 of 15
40554.10 In reply to 40554.6
Great that's all I need. Although they already knew all of that because they read all my correspondence.


Manthorp, I think if you remember in 321.08 I detailed the plot about the feds and the truthlessness of their words.  Don't be fooled, they lie on me all the time!
Reply
0/0
From: CHYRON (DSMITHHFX) 5 Jul 2013 21:01
To: Manthorp 11 of 15
40554.11 In reply to 40554.7
And so Kathaskung was unmasked...
Reply
+1/1
From: Manthorp 5 Jul 2013 22:55
To: CHYRON (DSMITHHFX) 12 of 15
40554.12 In reply to 40554.11
Dammit! Blown my cover!
Reply
0/0
From: Chris (CHRISSS) 8 Jul 2013 22:11
To: Ken (SHIELDSIT) 13 of 15
40554.13 In reply to 40554.10
You're still here? Maybe you are an NSA agent spying on us.
Reply
0/0
From: Ken (SHIELDSIT) 9 Jul 2013 02:34
To: Chris (CHRISSS) 14 of 15
40554.14 In reply to 40554.13
In a roundabout way I suppose I am!
Reply
0/0
From: Mizzy11 Jul 2013 16:14
To: Ken (SHIELDSIT) 15 of 15
40554.15 In reply to 40554.1
Hi Ken,
No encrypting your phone does nothing against this, encrypting your phone just protect you against offline attacks when your phone is on and you have unlocked it (with your more than 4 digit pin !!) it does nothing to protect your phone. 

Googles app store has an option now to verify the APK. so it is sort of fixed.

Marie.


Reply
0/0