Check for Android 5.x lockscreen vulnerability - CVE-2015-3860 #18
Comments
Fuzion24
changed the title
|
The relevant xml layout file is actually located in SystemUI.apk. |
|
Yea, the problem here is that there are no good on device axml parsing libraries available. Input is definitely welcome here. |
|
I think the AXML parsing code from Apktool(https://github.com/iBotPeaches/Apktool) is good enough (it was able to properly convert the keyguard_password_view.xml from CM13 to a regular XML). |
|
That code doesn't implement pull parsing. You'd have to write it out to a file somewhere and then read it back in with some standard xml parsing. I have a fork of that code that does this, but it is kind of defunct at this point. |
|
Is there anything particularly wrong with https://github.com/xgouchet/AXML? |
|
The license is MIT, so there is no conflict with the license here. If you wanted to open a pull request, I'd be happy to look at it and merge it. Cheers, |
|
I mean, I think we should provide attribution to the author of the library and include its license in some activity in the APK, not only in the source code. |
|
Sure. I'll leave that to your discretion. |
http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/
this is patched by https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590
One possible idea: Include an AXML in the application, open framework-res parse the relevant axml and check for the existence of
android:maxLength="500"The text was updated successfully, but these errors were encountered: