ubuntu-phone team mailing list archive

Thread
Date

Re: "Fake ID" Android exploit

To: ubuntu-phone@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
Date: Wed, 30 Jul 2014 16:48:56 -0500
In-reply-to: <CABWzvxu4Evi-7Y4zWh7SMNZy-MD=UC_ms3teCkMqYsk82m91ig@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0

On 07/30/2014 03:50 PM, Bruno Girin wrote:
> Hi all,
> 
> I just found this article on the "Fake ID" exploit in Android [1]. How is
> privileged access meant to work in Ubuntu Touch and should that sort of exploits
> be a concern?
> 
> Cheers,
> 
> Bruno
> 
> [1]
> http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-users-to-highly-privileged-malware/

Ubuntu's security model is considerably different[1][2] than android. There is
no concept of granting special access based on app certificate so there is
nothing to forge to gain privilege.

[1]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement
[2]http://developer.ubuntu.com/publish/apps/security-policy-for-click-packages/

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: "Fake ID" Android exploit
From: Bruno Girin, 2014-07-31

References

"Fake ID" Android exploit
From: Bruno Girin, 2014-07-30