Android Master Key Exploit
The details of what I believe to be Android bug 8219321 (master keys) are below. I’ve put this together from the Cyanogenmod bug report and patch, so if anyone has some better information I’d welcome it.
When checking APK content signatures
PackageParser calls its
which in turn uses the
getInputStream method of
whose implementation is in
ZipFile (the parent of
looks up the relevant entry in a
The problem is a Map can only provide a single object for a given key, so if there are two entries in a zip file with
the same name only one of the entries will be returned by
loadCertificates, and so only one entry is validated.
Map is constructed as part of a loop
so you can determine which entry will always be returned from
loadCertificates, so what you could do is create a
zip file where the entry that is verifiable is the one returned by getInputStream, and the one with the evil code
is the one which ends up on the device.