Posts

Showing posts with the label Android Secure Random vulnerability

[Android Security] Attacking the Android Package Manager from the past.

Image
Hi folks, here's a quick post about something I see very often in android application code. Something that could have pretty devastating effects if taken too lightly. Something that I believe is known about in some Android development circles but according to some of the things I've seen in apps - it doesn't seem this abuse of the PackageManager is as widely understood as it should be.  So in the following post I'm going to lay out a small trust problem folks seem to miss when dealing with Intents and the PackgeManager on Android.

So here's whats up...
When developing applications for Android you often want to take advantage of other applications and services available on the hosting system. For instance you might want to develop an app that opens Google Maps on a given set of co-ordinates , or perhaps opens a browser on a given page. Of course this is very common, its even common to host applications that forward potentially sensitive information to other applica…

More Details on the Android JCA PRNG Flaw

Image
I've spent a couple days reading the source code for the Pseudo Random number generators in Android mostly because there aren't many breakdowns of the vulnerability around, none that walk through the code explicitly anyway. After some discussion with some people from the Android Security Discussion Google Group I realized that the issue goes a little deeper than  just the super calls and constructor definition as I previously thought.

I was also mislead by grepcode---the site I was using to read the code---since it it wasn't directing me to the Android SecureRandom Implementation but rather OpenJDK!

So I thought I'd correct myself re-post about the issue and study the code directly from the Android repo namely ( https://android.googlesource.com/platform/libcore/+/jb-release/luni/src/main/java/java/security/SecureRandom.java )