3

How does Mobile Device Management tools (MDMs) identify mobile apps in order to allow to install only whitelisted applications?

First I though some kind of hash but because the APK changes in the Play Store I don't think so.

If it is the name in the application or other attribute in the Android manifest.xml probably it can be faked.

In fact, what I'm really worried about is this news that applications like Wifi Analyzer installed from alternative app stores have been trojanized...if my MDM allows Wifi Analyzer from Play Store would it also allow a trojanized Wifi Analyzer from an alternative app store? [Link to article]

Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
  • Hi Eloy, questions asking for a HOW-TO guide to break or deceive the security of a specific system are discouraged on this site. However, it is perfectly ok to ask about how the system works to further your understanding of it. I have edited your question accordingly. Please feel free to further [edit](https://security.stackexchange.com/posts/107740/edit) your question if you want. – Mike Ounsworth Dec 10 '15 at 13:26
  • 1
    I'm really in the blue side just trying to understand how my users could circunvent these security measures but it's ok :). In fact, what I'm really worried is about this news that say that applications like Wifi Analyzer installed from alternative app stores have been trojanized...if my MDM allows Wifi Analyzer from Play Store would also allow trojanized Wifi Analyzer from an alternative app store? http://researchcenter.paloaltonetworks.com/2015/12/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/ – Eloy Roldán Paredes Dec 10 '15 at 15:01
  • 1
    I'm not sure this is answerable here. The MDM vendor might be able to tell you or a mobile app development forum. – schroeder Dec 10 '15 at 15:30

1 Answers1

3

Android uses a code signing system to prove who the author is of any particular app. This means that you can trace any Android APK back to the Google account of the developer (or company) who did the build.

Since this is built in to the core of Android, I would assume that MDMs use it as part of the app whitelist process. ie any version of the same app signed by the original developer is ok, a version signed by anybody else is not ok.

As mentioned by @schroeder, exactly how the whitelisting is done probably differs from MDM to MDM, and is undoubtedly proprietary information. For a more concrete answer, you should contact the customer support of your MDM vendor.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207