[peter487]

It gives you the ability to modify the app without changing its cryptographic signature. If such problem would exist in standard PC world, it would essentially give you the ability to modify the binary without changing its hash.

This is a major blow to essential system of Android security system, the core functionality is broken the consequences can be massive not to mention it will never be fixed on old devices.

[atesti]

I don't get why this is a problem.

In the PC world, authenticode on executables does not really offer that much security: Any malware can be signed and you normally don't verify the signature of applications.

And with Android: Just because APKs could be forged, what exactly is the attack vector? If sideloading is not enabled, and the play store uses HTTPS, how would such an forged APK with an stolen signature get placed on your device? Could other apps modify the APK of another app? Doesn't each app have it's own Linux userid and aren't there access restrictions? How would some random game go and write into the APK of an app with high privileges in order to inject code? If that were possible, there would already be DOS like attacks: One game destroying the APK of a competing game, etc.

I'd really like to know the attack vector!

[archivator]

The thing that makes this dangerous is the "system" certificate for core apps. If you hijack traffic to any update to such an app (and OEMs have a ton of such apps), you you can inject code before it's installed under "system" abs that's that.

No, you can't actually go poking into other apps' apks but how many people would press "update" if they see the package manager's "Installing Gallery update, no permissions required" dialog?