latch101 / seek-for-android

Automatically exported from code.google.com/p/seek-for-android
0 stars 0 forks source link

Security Issue with Access Control #63

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
SCAPI uses the process name to retrieve the package name of the calling 
application for detecting whether the client will get access to a specific AID 
or not.
The package name of an APK can be faked within Android thus the current 
implementation is not secure!

See SmartcardService.java:getProcessNameFromPid

Attached patch retrieves the package name of the calling application from the 
clients UID.

Thanks a lot to the reporter!

Original issue reported on code.google.com by Daniel.A...@gi-de.com on 5 Jul 2013 at 3:07

Attachments: