You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While doing work for a customer I stumbled upon the fact that the official builds available for download at https://blissos.org are built with a publicly available platform key:
This poses a significant security risk for users of the official builds as any adversary can simply sign their app with the platform key and gain elevated permissions for their app.
While it may not be feasible for you guys to keep secret keys for every build, this should at least be documented in the Download and/or Licensing section at https://blissos.org.
Reproduction steps
1. Download and install BlissOS v15.9 OFFICIAL.
2. Download https://github.com/BlissRoms-x86/platform_build/raw/arcadia-x86/target/product/security/platform.pk8 and https://raw.githubusercontent.com/BlissRoms-x86/platform_build/arcadia-x86/target/product/security/platform.x509.pem
3. `apksigner sign --key platform.pk8 --cert platform.x509.pem malicious.apk`
4. `adb install malicious.apk`
5. Watch it 馃挘
Screenshots
No response
Logs
No response
Category
Other
OS Version
15.x
The text was updated successfully, but these errors were encountered:
Yes. I'm suggesting that this should be documented for downloaders/users of the official images as they're probably not aware of what this means and implies.
Description
While doing work for a customer I stumbled upon the fact that the official builds available for download at https://blissos.org are built with a publicly available platform key:
This poses a significant security risk for users of the official builds as any adversary can simply sign their app with the platform key and gain elevated permissions for their app.
While it may not be feasible for you guys to keep secret keys for every build, this should at least be documented in the Download and/or Licensing section at https://blissos.org.
Reproduction steps
Screenshots
No response
Logs
No response
Category
Other
OS Version
15.x
The text was updated successfully, but these errors were encountered: