Android Master Key Exploit
The details of what I believe to be Android bug 8219321 (master keys) are below. I’ve put this together from the Cyanogenmod bug report and patch, so if anyone has some better information I’d welcome it.
When checking APK content signatures PackageParser calls its
loadCertificates method,
which in turn uses the
getInputStream method of JarFile
whose implementation is in ZipFile (the parent of JarFile) and
looks up the relevant entry in a Map.
The problem is a Map can only provide a single object for a given key, so if there are two entries in a zip file with
the same name only one of the entries will be returned by loadCertificates, and so only one entry is validated.
The Map is constructed as part of a loop
so you can determine which entry will always be returned from loadCertificates, so what you could do is create a
zip file where the entry that is verifiable is the one returned by getInputStream, and the one with the evil code
is the one which ends up on the device.