1,环境 事件
OS:ubuntu 9.04
eclipse:3.4.0
android API:1.5
一个app,在api 1.6的 AVD上跑没事,换到1.5的AVD上就不能安装上去了。
2,Log
[color=red]
console:
[2010-04-22 11:46:01 - AppStore] Installation error: INSTALL_FAILED_UPDATE_INCOMPATIBLE
[2010-04-22 11:46:01 - AppStore] Please check logcat output for more details.
[2010-04-22 11:46:01 - AppStore] Launch canceled!
DDMS.logcat:
04-22 03:45:54.835: ERROR/PackageManager(577): Package com.thunderst.android.appstore has no signatures that match those in shared user com.xxx.android.yyy; ignoring!
04-22 03:45:54.835: WARN/PackageManager(577): Package couldn't be installed in /data/app/com.xxx.android.yyy.apk
[/color]
3,解决
涉及到2个关键词:[b]signatures ,shared user[/b]
从INSTALL_FAILED_UPDATE_INCOMPATIBLE 和 signatures 判断可能是重复装载apk的问题,站内 [url]http://xusaomaiss.iteye.com/blog/393296[/url]提了解决办法。
当然,不是这个原因。
焦点集中在[b]shared user[/b]
后来在manifest.xml中找到
android:sharedUserId="com.xxx.android.yyy"
这么一个配置,就是它在捣乱!
在后来发现这个是android1.5R1的一个bug,已经在之后的版本中被修复了。
------
#2009-006 Android improper package verification when using shared uids
Description:
Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission.
[b][color=green]Normally, Android applications will be allowed to share a uid if the packages are all signed by the same developer certificate and request permission to do so at install-time. This allows for packages from the same author to share data. Without enforcement of that behavior, it is possible for any application to be installed in such a manner that it gains access to another (existing) application's data.[/color][/b]
A patch has been made available by Android.
Affected version:
Android >= 1.5 CRB17 <= 1.5 CRB42
Fixed version:
Android >= 1.5 CRB43
(Android 1.0 and 1.1 are unaffected.)
Credit: Panasonic
CVE: CVE-2009-1754
Timeline:
2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: CVE assigned
2009-05-22: advisory release
References:
Patch
Permalink:
http://www.ocert.org/advisories/ocert-2009-006.html
OS:ubuntu 9.04
eclipse:3.4.0
android API:1.5
一个app,在api 1.6的 AVD上跑没事,换到1.5的AVD上就不能安装上去了。
2,Log
[color=red]
console:
[2010-04-22 11:46:01 - AppStore] Installation error: INSTALL_FAILED_UPDATE_INCOMPATIBLE
[2010-04-22 11:46:01 - AppStore] Please check logcat output for more details.
[2010-04-22 11:46:01 - AppStore] Launch canceled!
DDMS.logcat:
04-22 03:45:54.835: ERROR/PackageManager(577): Package com.thunderst.android.appstore has no signatures that match those in shared user com.xxx.android.yyy; ignoring!
04-22 03:45:54.835: WARN/PackageManager(577): Package couldn't be installed in /data/app/com.xxx.android.yyy.apk
[/color]
3,解决
涉及到2个关键词:[b]signatures ,shared user[/b]
从INSTALL_FAILED_UPDATE_INCOMPATIBLE 和 signatures 判断可能是重复装载apk的问题,站内 [url]http://xusaomaiss.iteye.com/blog/393296[/url]提了解决办法。
当然,不是这个原因。
焦点集中在[b]shared user[/b]
后来在manifest.xml中找到
android:sharedUserId="com.xxx.android.yyy"
这么一个配置,就是它在捣乱!
在后来发现这个是android1.5R1的一个bug,已经在之后的版本中被修复了。
------
#2009-006 Android improper package verification when using shared uids
Description:
Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission.
[b][color=green]Normally, Android applications will be allowed to share a uid if the packages are all signed by the same developer certificate and request permission to do so at install-time. This allows for packages from the same author to share data. Without enforcement of that behavior, it is possible for any application to be installed in such a manner that it gains access to another (existing) application's data.[/color][/b]
A patch has been made available by Android.
Affected version:
Android >= 1.5 CRB17 <= 1.5 CRB42
Fixed version:
Android >= 1.5 CRB43
(Android 1.0 and 1.1 are unaffected.)
Credit: Panasonic
CVE: CVE-2009-1754
Timeline:
2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: CVE assigned
2009-05-22: advisory release
References:
Patch
Permalink:
http://www.ocert.org/advisories/ocert-2009-006.html
2071
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
