Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 22 May 2009 16:29:53 -0500
From: Will Drewry <>
Subject: [oCERT-2009-006] Android improper package verification when using 
	shared uids

#2009-006 Android improper package verification when using shared uids


Android, an open source mobile phone platform, improperly checks developer
certificates when installing packages that request the shared user identifier
(uid) permission.

Normally, Android applications will be allowed to share a uid if the
packages are all signed by the same developer certificate and request
permission to do so at install-time.  This allows for packages from the
same author to share data.  Without enforcement of that behavior, it is
possible for any application to be installed in such a manner that it
gains access to another (existing) application's data.

A patch has been made available by Android (see references).

Affected version:

Android >= 1.5 CRB17 <= 1.5 CRB42

Fixed version:

Android >= 1.5 CRB43
(Android 1.0 and 1.1 are not affected)

Credit: Panasonic

CVE: CVE-2009-1754

2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: CVE assigned
2009-05-22: advisory release




Will Drewry <>
oCERT Team ::

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.