oCERT-2009-006 Android improper package verification when using shared uids
Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission.
Normally, Android applications will be allowed to share a uid if the packages are all signed by the same developer certificate and request permission to do so at install-time. This allows for packages from the same author to share data. Without enforcement of that behavior, it is possible for any application to be installed in such a manner that it gains access to another (existing) application's data.
A patch has been made available by Android.
Android >= 1.5 CRB17, <= 1.5 CRB42
Android >= 1.5 CRB43
(Android 1.0 and 1.1 are unaffected.)
2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: assigned CVE
2009-05-22: advisory release