haystack icon indicating copy to clipboard operation
haystack copied to clipboard

Published 20 hours ago verified publisher icon Lanchon

suggestion: make patches for android 6+ check if FAKE_PACKAGE_SIGNATURE declared

Open Vavun opened this issue 5 years ago • 4 comments

Hi @Lanchon

For first sorry for bad english

Suggestion: Modify and improve patches for android 6+ (if it is possible) to make them check if android.permission.FAKE_PACKAGE_SIGNATURE declared in ROM then behave accordingly to system features.

I made small fake app for @Nanolx NanoDroid patcher that add info about signatire spoofing and declares FAKE_PACKAGE_SIGNATURE permission.

That is what I'm talking about https://gitlab.com/Nanolx/NanoDroid/issues/53

So, if we change android:protectionLevel in AndroidManifest.xml from normal to dangerous it became possible to ask, grant, deny and manage this permission, but patched system ignores this and grant this permission by default to all apps. (Anyway, we can still see ask permission dialog for this permission if protectionLevel is dangerous)

It would be great if patched system will check if fake pachage signature permission is allready declared in system (and managable) and grant this permission according to settings to each app like other dangerous permissions and grant by default to all if not declared or declared as normal and so on.

If it possible it will be FULL signsture spoofing support patch with managing :)

Thanks

Vavun avatar Apr 13 '19 02:04 Vavun

hey,

i'll look into this when i can but i can tell you it's very likely it's a permission issue and the patcher code is ok.

Lanchon avatar Apr 21 '19 01:04 Lanchon

Thanks

I faced this long time ago, I tried even place FAKE_PACKAGE_SIGNATURE in framework-res.apk of patched rom and everytime I see this. This how it looks with dangerous protection level. https://youtu.be/301QUwWh6lY

This is lineageOS 14.1

Same thing when placing FAKE_PACKAGE_SIGNATURE in framerork-res Signature spoofing permitted even signature spoofing permission is not granted

Vavun avatar Apr 21 '19 08:04 Vavun

I would also like to see per app based granting permissions. Otherwise everything work just fine on my phone.

EDIT: This is the patches set used when building services framework: https://github.com/microg/android_packages_apps_GmsCore/tree/master/patches

AreYouLoco avatar Jun 18 '19 21:06 AreYouLoco

I've modified the patches to make it more similar to MicroG's approach: https://github.com/teowoz/haystack/compare/050d6319ad2f7b4a0558d8d61ce158d12a83e99c...teowoz:e845eb3e72bae2d20ac9c9907f566289cf53b5ef

It won't work in Android 4.0 and below, but the MicroG patches are for >=4.4 anyway.

You also need to set the permission's protectionLevel to dangerous (with normal it is granted automatically). It probably could be done by patching /system/framework/framework-res.apk but repacking it looks complicated and I failed to do it correctly. However NanoDroid approach with additional apk ( https://gitlab.com/Nanolx/NanoDroid/-/issues/53 ) also works. The source code for it is currently unavailable (404) but I unpacked the apk, modified (protectionLevel was normal in it), repacked and signed it (the signature apparently isn't verified, but it must exist).

The effect is that signature spoofing permission works similar to MicroG source code patch: signature spoofing is allowed only if the permission is explicitly granted by the user.

Tested using NanoDroid patcher on LineageOS 17.1 (lineage-17.1-20200808-nightly-bardockpro-signed.zip)

teodly avatar Aug 12 '20 08:08 teodly