Closed
Bug 1489950
Opened 6 years ago
Closed 3 years ago
Firefox Focus for Android v6.1.1 allow attackers to modify apps without affecting their signature
Categories
(Focus :: General, defect)
Focus
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Bean3ai, Unassigned)
References
Details
(Keywords: csectype-priv-escalation, sec-moderate)
Attachments
(2 files)
fiefox Focus.jpg
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Steps to reproduce:
Checking the Firefox for Android App`s signature information, I notice that Firefox Focus for Android v6.1.1 is using signature scheme version 1. App`s signature information screenshots attached.
Actual results:
It is a serious vulnerability that could allow attackers to modify installed apps without affecting their signature. This vulnerability (designated as CVE-2017-13156, and also called the Janus vulnerability) affects versions of Android from 5.1.1 to 8.0
Expected results:
For compatibility reasons, developer could use a mixed signature (version 1 and 2) scheme.
|
||
Updated•6 years ago
|
Component: Build Config & IDE Support → Security: Android
Flags: needinfo?(sdaswani)
Product: Firefox for Android → Focus
Version: unspecified → ---
|
|
||
Comment 2•6 years ago
|
||
Good write up of the issue. The CVE database links don't do a good job of describing the vuln. https://blog.trendmicro.com/trendlabs-security-intelligence/janus-android-app-signature-bypass-allows-attackers-modify-legitimate-apps/
will also wait for a rating from the security team before prioritizing this work.
Flags: needinfo?(sdaswani)
|
||
Comment 4•6 years ago
|
||
ulfr: does your team/Autograph do the signing for android apps?
Keywords: csectype-priv-escalation,
sec-moderate
|
||
Comment 5•6 years ago
|
||
We do (at least for some). V2/V3 signature support is in the backlog. AAB adoption may impact this.
|
|
||
Updated•6 years ago
|
Group: firefox-core-security → mobile-core-security
|
||
Updated•6 years ago
|
Whiteboard: [geckoview]
|
|
||
Comment 6•6 years ago
|
||
This is release engineering work that is independent of GV. Possibly this bug should be moved to them?
Whiteboard: [geckoview]
|
|
||
Comment 7•6 years ago
|
||
Catlee can you help find someone in releng who might work on this?
Flags: needinfo?(catlee)
|
||
Comment 8•6 years ago
|
||
as per comment #5, signing of Android apps is handled by Autograph. I think the work rests with :ulfr's team, unless we decide to bring signing back into something like a releng scriptworker.
Flags: needinfo?(catlee)
|
||
Comment 10•3 years ago
|
||
Fixed for all APKs in bug 1613113 and bug 1669487
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
|
||
Updated•3 years ago
|
Group: mobile-core-security → core-security-release
|
|
||
Updated•2 years ago
|
Group: core-security-release
|
||
Updated•2 years ago
|
Component: Security: Android → General
You need to log in
before you can comment on or make changes to this bug.
Description
•