Working from that description, Pau Oliva Fora, senior mobile security engineer at viaForensics, published proof-of-concept code that allows anyone with a moderate level of skill to modify an existing Android app without changing the cryptographic signature that's supposed to certify it hasn't been tampered with. The 32-line exploit demonstrates the ease in exploiting the vulnerability and the consequences the flaw might have for people who install and update apps from third-party sources.
"I think it's a very serious vulnerability, and everyone with an unpatched device should be cautious about what they install, especially if it doesn't come from an official distribution channel," Oliva Fora wrote in an e-mail to Ars.
Google patches critical bug in Android
Posted on Wednesday, July 10 2013 @ 16:50 CEST by Thomas De Maesschalck