【IT168 技术分析】最近,大家陆续反映刷了这个美国版本之后
https://android.clients.google.com/updates/partner/signed-kila-ota-148830.de6a94ca.zip
谷歌拼音输入无法安装。根据安装的Log如下:
I/ActivityManager( 57): Process com.android.settings (pid 240) has died.
E/PackageManager( 57): Package com.android.inputmethod.pinyin has no signatures that match those in shared user android.uid.shared; ignoring!
W/PackageManager( 57): Package couldn't be installed in /data/app/com.android.inputmethod.pinyin.apk
E/PackageManager( 57): Package com.android.inputmethod.pinyin has no signatures that match those in shared user android.uid.shared; ignoring!
W/PackageManager( 57): Package couldn't be installed in /data/app/com.android.inputmethod.pinyin.apk
注意第二个E,也就是错误,no signatures that match those in shared user。。。这不禁让人想到最近这个CRB17->CRB43补丁发布的原因:一个安全漏洞。
#2009-006 Android improper package verification when using shared uids
Description:
Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission.
Normally, Android applications will be allowed to share a uid if the packages are all signed by the same developer certificate and request permission to do so at install-time. This allows for packages from the same author to share data. Without enforcement of that behavior, it is possible for any application to be installed in such a manner that it gains access to another (existing) application's data.
A patch has been made available by Android.
Affected version:
Android >= 1.5 CRB17 <= 1.5 CRB42
Fixed version:
Android >= 1.5 CRB43
(Android 1.0 and 1.1 are unaffected.)
Credit: Panasonic
CVE: CVE-2009-1754
Timeline:
2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: CVE assigned
2009-05-22: advisory release
References:
Patch
Permalink:
http://www.ocert.org/advisories/ocert-2009-006.html
Description:
Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission.
Normally, Android applications will be allowed to share a uid if the packages are all signed by the same developer certificate and request permission to do so at install-time. This allows for packages from the same author to share data. Without enforcement of that behavior, it is possible for any application to be installed in such a manner that it gains access to another (existing) application's data.
A patch has been made available by Android.
Affected version:
Android >= 1.5 CRB17 <= 1.5 CRB42
Fixed version:
Android >= 1.5 CRB43
(Android 1.0 and 1.1 are unaffected.)
Credit: Panasonic
CVE: CVE-2009-1754
Timeline:
2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: CVE assigned
2009-05-22: advisory release
References:
Patch
Permalink:
http://www.ocert.org/advisories/ocert-2009-006.html
程序的私有数据得不到相应的用户权限保护,这是一个很大的问题!为了这个补丁,Google还专门发了个1.5 SDK r2。
CRB43从此严格限定了安装行为,而一般装的那个Google拼音貌似是山寨的,不合正规军的规矩。
只是一个在安装检查时候的问题,在CRB17版本升级包的时候装好的,可以说是钻了漏洞的空子,期待这个Google拼音的作者重新打包发布吧,跟系统无关。玩过1.5 SDK的都知道,里面有Google拼音输入法!Locale也有完整的中文包!这才应该是正式版的样子!
