oCERT-2009-006 Android improper package verification when using shared uids


Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission.

Normally, Android applications will be allowed to share a uid if the packages are all signed by the same developer certificate and request permission to do so at install-time. This allows for packages from the same author to share data. Without enforcement of that behavior, it is possible for any application to be installed in such a manner that it gains access to another (existing) application's data.

A patch has been made available by Android.

Affected version:

Android >= 1.5 CRB17, <= 1.5 CRB42

Fixed version:

Android >= 1.5 CRB43

(Android 1.0 and 1.1 are unaffected.)

Credit: Panasonic.

CVE: CVE-2009-1754


2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: assigned CVE
2009-05-22: advisory release