--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
good idea! i accept!i will fix it right now!
Hei Jiajia.To be clear, I find your proposal really interesting, I think there are some very good insights there.I am just suggesting we should figure out the best and future proof way to materialize it, and think a bit more about future proof to get a good design.You are right, though, that there are some extra constraints I didn't think about: you necessarily need to resign with the previous key to replace a package, although you don't have to necessarily change package name.On Tue, Jul 19, 2016 at 1:55 PM, 李佳佳 <lijia...@gmail.com> wrote:Thank you for your advice and attention so much.
But I don't think your concern is not as important as user's security. I will answer your question as list.
First of all, my proposal is kind like of app link feature introduced since Android 6.0, app link verifies the signature from app and sha256 saved on website. And the cost of replacing the key in website is not expensive, referring to app link. But app link only supports https, now we extend to any other scheme.
(I think your question is also compatible for app link from google,---->https://developer.android.com/training/app-links/index.html😄 )
Secondly, consider your imagine that the app key is expired, it is a very good question, if you just update the key of app and keep the package name the same, user won't install new version app covering old one successfully. I think changing the package name may be a better way to solve this conflict. But anyway, no matter what happened, updating a key of app is very terrifying.
Finally, if the key has been changed , and you insist concerning about the problem of syncing between app and website, I advise you can
remove the param "sha256" in the intent scheme, which means backward to the original way of Android .
I am so glad to talk with you , I hope to communicate with you about it more.
Best wishes,
Jiajia Li.
I am not a security expert, but one thing that I find tricky in that approach is that it relies on keeping the web page and the apk signatures in sync. If I am reading the code correctly, in that proposal if an app wants to update the signatures for their APK (keys are expired, change of issuer, key revocation) they have atomically update all the links in the internet (very hard to imagine). And even if they manage to do that, users might be still lagging behind (e.g., auto update is disabled) and be in a situation where they have (new website with new signature)+(old apk with old signature).So the only realistic plan for this to work across key rotations is that app developers should never remove signatures, just keep adding them. which is IMHO a tough requirement.
I'm not sure I understand the reason for this feature. The original email said this is to protect against malicious APKs *that are already installed*. Isn't that sort of the wrong level of protection? If you already installed a malicious APK, it can already do all kinds of bad things. What additional badness would clicking a link provide?
If you speak like this, I don't think app link needs to verify the signature. :)What I want to solve is to raise the accuracy of chrome notifying the fake evil app.Suppose like this, sometimes a app for paying is installed on the phone, the app is evil and fake, it runs as normal . But when user shopping on chrome and comes to payment page , which may jump to the app according to the intent, we can block the intent action at the time using sha256.
I'm not sure I understand the reason for this feature. The original email said this is to protect against malicious APKs *that are already installed*. Isn't that sort of the wrong level of protection? If you already installed a malicious APK, it can already do all kinds of bad things. What additional badness would clicking a link provide?
Unless the intent itself is going to contain some data that shouldn't be shared with an untrusted app, I don't think it's that useful to enforce where it's delivered.
On Tue, 19 Jul 2016 at 16:33 Rouslan Solomakhin <rou...@chromium.org> wrote:On Tue, Jul 19, 2016 at 6:26 AM Christian Biesinger <cbies...@chromium.org> wrote:I'm not sure I understand the reason for this feature. The original email said this is to protect against malicious APKs *that are already installed*. Isn't that sort of the wrong level of protection? If you already installed a malicious APK, it can already do all kinds of bad things. What additional badness would clicking a link provide?This protects the webpage from launching the malicious app. The author can better speak to the use case, but here's how I understand it. Currently AliPay integrates into Chinese websites by adding a [Pay with AliPay] button. When user clicks that on Android, the native AliPay payment app launches. The user must enter their username and password to proceed. Alibaba's concern is that the user might have installed a malicious clone of AliPay. Entering their AliPay username and password into a malicious app would be bad. The proposed feature should prevent it.But it doesn't. *ANY* malicious app on the phone, even one with a completely different package name unrelated to AliPay, can notice that the AliPay activity has launched, and launch itself over the top with a phishing UI, already, without needing to communicate with Chrome at all. There's probably other similar ways to do this as well. In this case the user isn't safe even if they *have* got the real, signed version of AliPay.It just doesn't seem like enforcing the intent here adds much real security.
But it doesn't. *ANY* malicious app on the phone, even one with a completely different package name unrelated to AliPay, can notice that the AliPay activity has launched, and launch itself over the top with a phishing UI, already, without needing to communicate with Chrome at all. There's probably other similar ways to do this as well. In this case the user isn't safe even if they *have* got the real, signed version of AliPay.It just doesn't seem like enforcing the intent here adds much real security.What I'm hearing is that there're two problems in Android intents for the web:1) There's no way to identify the callee securely.
2) Any app can detect launch of other apps and draw itself on top of other apps.
Given that, the approach to bad apps involves things like scanning the Play Store — or whatever other stores people in China use — for bad apps, and working to educate people that it matters whether or not they get the real AliPay, and where the real AliPay is available.
--
--
-----
secu...@chromium.org is for discussing vulnerabilities and fixes in Chromium code.
Please protect Chromium users: DO NOT FORWARD this email or disclose its contents to third parties.
http://groups.google.com/a/chromium.org/group/security
---
You received this message because you are subscribed to the Google Groups "security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security+u...@chromium.org.
1.Intent itself supports conveying params, in China many apps would transfer sensitive data in intent
In short, I am in full agreement with Palmer, Rachel, and Torne. It appears that there's really only one protection this would give, which is over the content in the intent itself,
Unless malware using your good application's package name got on the device first, in which case the device owner has other problems...
But as Torne described, the attacker has won in that scenario
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
Hi Joel,A quick question: will SRI's new version cover intent?
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.