Quote:
Originally Posted by Eusibius2
Hey - thanks for all the answers, they really helped. I'm still curious about this last point though. Couldn't this lead to a security flaw if we can now essentially re-sign a program (or fake sign a new one??) to do something malicious using another dev's key? Wouldn't this essentially fake the requested permissions the program wants the user to agree too?
|
Yes, but to be honest, anybody who knows how to implement malicious syntax into a program will know how to fake the signature. There are a few auto-signers out there right now. As for the permissions, I don't believe they are stored in the signature files, but I may be wrong as I haven't analyzed it closely. I would presume that the application permissions would be stored in the application itself. What I do know about this particular auto signer is that it's clean, completely free of malicious code, and will not harm the applications it's used on or the devices. I'm a software developer, so I -have- looked for the usual signs of malicious intent as well as scanned it with not only desktop antivirus and antimalware apps (Nod32, Malwarebytes), but also with a couple android ones after re-installation of the modified apk.
This tutorial is simply for those who want to utilize the full versatility of their Android devices. It's not to give the tools needed to create malicious applications. Even though the auto sign will work for that purpose, it's only 1% of what's needed to do so, and anybody knowledgeable enough to write the other 99% does not need this auto signer to complete the job.
I'm getting the impression that you are not really interested in this tutorial itself, but rather in the possibilities and features of the auto sign java program (whether to cause problems here, or purely out of curiosity, I don't know). If this is the case, please request such information on the XDA thread where this tool was created, not here.