Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Concerned with tampered APK sources on Play Store (1.1.6-free) #29

Closed
maxieds opened this issue Aug 25, 2020 · 1 comment
Closed

Concerned with tampered APK sources on Play Store (1.1.6-free) #29

maxieds opened this issue Aug 25, 2020 · 1 comment

Comments

@maxieds
Copy link
Owner

maxieds commented Aug 25, 2020
edited
Loading

In light of today's spirit debate with a few men of feebler mind (so to speak), but l33t hacking skills as it were (see here and here), I am concerned about the following new permission that showed up in v1.1.6-free of this app on Play Store today:

<?xml version="1.0" encoding="UTF-8"?><manifest versionCode="78" versionName="1.1.6-free" installLocation="2" compileSdkVersion="29" compileSdkVersionCodename="10" package="com.maxieds.chameleonminilivedebugger" platformBuildVersionCode="29" platformBuildVersionName="10">
  <uses-sdk minSdkVersion="26" targetSdkVersion="29"/>
  <protected-broadcast name="android.hardware.usb.action.USB_STATE"/>
  <uses-permission name="android.permission.WRITE_EXTERNAL_STORAGE"/>
  <uses-permission name="android.permission.READ_EXTERNAL_STORAGE"/>
  <uses-permission name="android.permission.WRITE_SETTINGS"/>
  <uses-permission name="android.permission.INTERNET"/>
  <uses-permission name="android.permission.USB_PERMISSION"/>
  <uses-permission name="android.permission.BLUETOOTH"/>
  <uses-permission name="android.permission.BLUETOOTH_ADMIN"/>
  <uses-permission name="android.permission.ACCESS_COARSE_LOCATION"/>
  <uses-permission name="android.permission.ACCESS_FINE_LOCATION"/>
  <uses-feature name="android.hardware.usb.host" required="true"/>
  <uses-feature name="android.hardware.bluetooth" required="false"/>
  <uses-permission name="android.permission.READ_PHONE_STATE"/>
  <application theme="AppThemeGreen" label="Chameleon Live Logger" icon="res/mipmap-anydpi-v26/chameleon_app_icon_round.xml" manageSpaceActivity=".LiveLoggerActivity" excludeFromRecents="true" launchMode="1" description="GUI and portable logging interface for the Chameleon Mini NFC pentesting boards" noHistory="false" testOnly="false" installLocation="1" hardwareAccelerated="true" extractNativeLibs="false" usesCleartextTraffic="false" defaultToDeviceProtectedStorage="true" roundIcon="res/mipmap-anydpi-v26/chameleon_app_icon_round.xml">
    <uses-library name="com.android.future.usb.accessory"/>

I have done my best by reporting my own app to Google, submitting a developer issue to their support team on their console, and submitted a new v1.1.8-free app for rollout. Please upgrade to v1.1.8 ASAP!

com.maxieds.chameleonminilivedebugger_1.1.6-free_0_AndroidManifest.xml.txt
com.maxieds.chameleonminilivedebugger_1.1.6-free.apk.zip
@maxieds
Copy link
Owner Author

maxieds commented Aug 26, 2020

Back to normal with the just now launched v1.1.8 APKs on Play Store. Again, PLEASE UPDATE TO THE NEW VERSION IMMEDIATELY! This should quickly go into effect for both the free and paid flavors of the application. Users who have chosen to roll their own from source should be safe. Same for users that typically install directly from the signed APK sources on the releases page.

✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅

@maxieds maxieds closed this as completed Oct 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maxieds