|
|
|
|
|
|
by CaveTech
4990 days ago
|
|
|
Sadly not too many details are published. Wouldn't be surprised if the main vulnerability was caused by applications blindly trusting any certificate - which happens to be a fairly common design pattern when dealing with Android. Sadly, a lot of popular signing authorities are not trusted by default in some versions of Android, and it isn't an easy task to get a user to add others. There's several apps I've used where I've had no choice except to trust all authorities. I know the dangers of this, but I doubt most Android users do. |
|
|
To mitigate the problem at least a little, you have to jump through hoops. <shamelessplug>I had to write my own (MIT licensed) lib to allow for SSH-style "ask on first use" behavior, which I needed for an XMPP client: https://github.com/ge0rg/memorizingtrustmanager </shamelessplug>