ubuntu-phone team mailing list archive

Thread
Date

Re: "Fake ID" Android exploit

To: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
From: Bruno Girin <brunogirin@xxxxxxxxx>
Date: Thu, 31 Jul 2014 20:42:02 +0100
Cc: Ubuntu Touch <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <53D96848.6040104@canonical.com>

On 30 July 2014 22:48, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:

> On 07/30/2014 03:50 PM, Bruno Girin wrote:
> > Hi all,
> >
> > I just found this article on the "Fake ID" exploit in Android [1]. How is
> > privileged access meant to work in Ubuntu Touch and should that sort of
> exploits
> > be a concern?
> >
> > Cheers,
> >
> > Bruno
> >
> > [1]
> >
> http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-users-to-highly-privileged-malware/
>
> Ubuntu's security model is considerably different[1][2] than android.
> There is
> no concept of granting special access based on app certificate so there is
> nothing to forge to gain privilege.
>

Thanks, that answers my question perfectly! As ever, it's the type of
complex technical subject that will be hard to explain to the skeptics who
will say "oh but once Ubuntu Touch is as popular as Windows/Android/iOS,
you'll have lots of malware on it".



>
> [1]
> https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement
> [2]
> http://developer.ubuntu.com/publish/apps/security-policy-for-click-packages/
>

And some reading for the weekend, brilliant!

Bruno

References

"Fake ID" Android exploit
From: Bruno Girin, 2014-07-30
Re: "Fake ID" Android exploit
From: Jamie Strandboge, 2014-07-30