Security Issue with Access Control
GoogleCodeExporter opened this issue · comments
SCAPI uses the process name to retrieve the package name of the calling
application for detecting whether the client will get access to a specific AID
or not.
The package name of an APK can be faked within Android thus the current
implementation is not secure!
See SmartcardService.java:getProcessNameFromPid
Attached patch retrieves the package name of the calling application from the
clients UID.
Thanks a lot to the reporter!
Original issue reported on code.google.com by Daniel.A...@gi-de.com on 5 Jul 2013 at 3:07
Attachments: