Just saw a post about Blackhat briefing by Jeff Forristal about android vulnerability corresponding to google bug 13678484. I can only find one reference around it i.e. https://android.googlesource.com/platform/libcore/+/android-cts-4.1_r4

Can someone throw more light on it. Looks to me that there might be some issue around certificate chaining and bypass around it.
Add API to check certificate chain signatures Add hidden API to check certificate chain signatures when needed. The getCertificates implementation returns a list of all the certificates and chains and would expect any caller interested in verifying actual chains to call getCodeSigners instead.
Anantshri (Anant Shrivastava)'s profile photoAndré Pereira's profile photoJubax Devel's profile photoJeff Forristal's profile photo
Yeah, sorry, i have mistaken one for another, because it is the same person who disclosed, and it looks the like the vulnerability. But it is not. 
Hi Guys, any news about it? Thanks!
Add a comment...