[Cryptography] Android's Secure ADB as a security hole

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Jan 26 05:25:47 EST 2015

Ben Laurie <benl at google.com> writes:
>On 23 January 2015 at 05:26, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> Can someone who's more familiar with Android internals verify whether this
>> signing-oracle-by-design really is there?
>I believe the key used is unique to adb, Surely this is not a problem?

When I was looking at this I did some googling to try and figure out what
controls there were on keys and found somewhere in the ADB docs:

  If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (;
  under Windows) list of private keys, e.g. company-wide or vendor keys.

The key is a generic OpenSSL PEM file, so all you need to do is point at your
company-wide private key in PEM format (conveniently available, and it even
comes with a certificate so why not use it?) and your "secure" ADB is a
signing oracle for your corporate key.


More information about the cryptography mailing list