Risky Business #288 -- Planet Android safe from flaming pwncomet

Promised droidpocalypse is mostly hype...
12 Jul 2013 » Risky Business

On this week's show we take an axe to all the crazy hype around BlueBox's Android research. It's been a shameful, shameful week for the tech media. I half expected to walk outside this week and find crowds of consumers holding pitchforks and burning their Android devices based on the headlines we've been seeing about 99% of all 'droid devices being open to attack!

As you'll hear in this week's interview with Justin Case (jcase), the research is cool -- it's a code signing check bypass for android install packages -- but you can put down the matches and the lighter fluid. It's not that bad.

In this week's sponsor interview we continue the conversation about code signing with Brad Arkin, the CSO of Adobe. Adobe itself had some trouble with an attacker compromising its systems and signing malware with its HSM. Last week, as you would have heard, someone managed to do the same thing at Opera, only that case was worse because they also jacked the browser's update boxes for a short time and served up bogus patches.

Last time Brad was on the show he was the head of security and privacy at Adobe so handling the operational security and code signing wasn't actually his responsibility. But it is now so he's been doing some thinking.

What do these recent developments tell us about distributed trust models for code signing? Are desktop OS's moving towards the mobile app signing model that has worked so spectacularly well for Apple? Well, Brad says they are, with caveats.

Adam Boileau, as usual, joins the show to discuss the week's news headlines. Show notes are here.