Originally Posted by
Please note, this apk doesn't fix for the installed apk. So if you have installed a apk with the fake id, this module cannot prevent you from the hacking. For more tech information, please visit here: https://github.com/Tungstwenty/FakeIDFix/issues/1
I am aware of this behavior, yes.
Please check this post:
It is also a PoC with multiple signatures, and it will scan the entire system for packages with multiple signatures, stating whether each certificate has signed the previous one.
But it doesn't take the Subject / Issuer into account, and it appears that there are some situations where multiple signers are present, and they don't form a chain (nor do they claim to).
Check this example:
and also this one
where AdBlockAddon is issued with 2 independent signers.
About your patch: in the latest version of my mod, I'm only changing the behavior to include the check if it's running on the system process. Since Google didn't change the behavior in JarTools to always enforce the check, I'm guessing that it might cause compatibility issues to always do it.
(I also posted this as a reply on Github)
On one hand yes, it can be deceiving, but on the other hand it might also be confusing to see the scanner reporting the bug as present.
If one installs the mod, he's doing something similar to applying the AOSP commit to his rom which would apparently remove the vulnerability, and Bluebox would detect the 3 arguments on the method and report the system as safe.
Are you aware of any other AOSP commits that actually take advantage of the additional API of JarTools and enforce the check in some places?