Friday, December 23, 2011

Android remote shell via no-permission applications

The Android's permission management architecture suffers from a vulnerability that allows an attacker to access the system via a remote shell. In this video ... explains how a "no-permission application" - which doesn't ask any sensitive operation permission to work - can be exploited.
from the original post:

"It is not a zero-day exploit or a root exploit. We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel."

I think that the issue is a matter of  the "Least Privilege" principle!  

No comments:

Post a Comment