All posts in Technology

Who signed the .apk file?

After a while searching for an older version of an App from the Play Store, I finally found the version I wanted and downloaded it.
In order to install it, you have to “Allow the installation from unknown sources”. So there goes the chain of trust for the app.


So how do you know:

  • Where did the app came from ?
  • Did someone plant Malware in it?
  • Can I trust it?

These are cases for your trusted cryptographer or in the case your certificates.

Basically you need fo follow these steps:

# Dump the apk information
$ANDROID_HOME/build-tools/23.0.0_rc2/aapt dump badging |grep package

# verify the signer
jarsigner -verbose -verify |less

# Verify that all files have been signed with the same key
jarsigner -verbose -certs -verify |less


Error -505 while installing Android App


I’ve had the DB Navigator app trying to update itself for the last 3 to 12 months, but hadn’t really put some time into figuring out why it didn’t work.  If figured I was not the only one affected so they would fix it themselves someday. Since that never happens, I took some time and wrote this post.

In a nutshell the problem is that the ticket database was owned by another DB app: de.bahn.dbtickets. I uninstalled it and then could update / re-install the DB Navigator app.

How did I figure this out?, you say

  1. Enabled developer mode on my phone
  2. Connected to it and used adb logcat to see the logs
  3. Tried to install the app
  4. Found this in the logs

E/Finsky (28878): [1] PackageInstallerImpl.handleCommitCallback: Error -505 while installing INSTALL_FAILED_DUPLICATE_PERMISSION: Package attempting to redeclare permission de.bahn.dbtickets.permission.WRITE_DB already owned by de.bahn.dbtickets
W/Finsky (28878): [1] 3.installFailed: Install failure of -505 null

So the highlighted part is what told me the problem.

Have fun.


I just released a set of scripts that come in handing when creating clean images for virtual environment, heck you can even use it for cloud images.

What they do is:

  • clear all the logs
  • clean up the networking scripts, because the normally get references to the mac address in CentOS
  • clean up the repository files
  • in some cases create a root user

There are scripts for: CentOS 6, Debian and OpenSuse.

They can be be found in the tools section or in github.

Horizon and cookies


I’ve been working with the Havanna release of OpenStack the last couple of days and ran across a default setting that should be avoided in any deployment: using cookies as the session backend.

The source of the problems has been known at least since October 2013  in Django and other frameworks: clear-text client-side session management.
There is even OSVDB entry and Threatpost covered it in an article.

Keep Reading →

Social over-sharing

Image from

In some parts of the world over-sharing or just sharing information about you, your life-style and family can be really dangerous. There are many types of information one can over-share on the Internet, typically on social media sites like Facebook, Twitter, Google+ or Foursquare :

  • Personal information, for example: name, maiden name, birthday, schools we attended, who are our friends and family, pictures.
  • Geo-location or location information: this information tells people where you are and where to find you. Keep Reading →

Measuring community activity in Cloud Computing projects


I normally try to stick to posting original content on my site, but I ran across this post today while doing some research for the Hacker High School project.

It presents a really well structured analysis of the communities that support and give life to the main Cloud Computing projects: OpenStack, CloudStack, Eucalyptus and OpenNebula. All the information was extracted from public forums and code management systems.

You can find the post here:

Executive summary

  Keep Reading →

Smart phone / mobile phone tracking and privacy


The first hand-held mobile phone was demonstrated by Motorola in 1973 and since 90s, mobile phones have become one of the technologies that have the biggest impact on the way we live. Cell phones or mobile phones have reached an impressive 96.2% of the world population and have penetrations rates of over 100% in developed nations. This information technology has spread faster that any other, including TV, Radio and the Internet. Can you remember how we lived before cellphones?

Keep Reading →

vpnc and Fritz!box

Fritz!Box is a series of home routers from AVM, which can do a lot. Among the features is  VPN support: site-to-site and client-to-site (road warrior).

I wanted to play with the road warrior setup, because it is always practical to have a way back into a network: for privacy if on a hot spot or just to be able to access hosts on it.

Fritzbox deliverers it own Windows / Mac VPN client (FRITZ!Box VPN Connection) which works pretty good, but as a Linux user I would really enjoy native support (so I don’t have to get access through a VM, which works pretty well by the way).

After multiple failing tests and toggling all possible vpnc configuration options, which aren’t that many by the way, it was time to play: find the differences!

Keep Reading →

Adoption of Linux releases

I’m impressed how some software Vendor have resisted to provide support for Red Hat Enterprise Linux 6 (RHEL6) and its derivates for their products. This week I ran into two examples:

Keep Reading →

WebOS Security

I had the pleasure of attending WebOS Developer Workshop in Mainz on Saturday Thgtwi (@thgtwi) did a great job with the organization. SuVuK(@SuVuK_open) did a nice report on the contents of the Workshop in his blog.

I took the opportunity talk about Security in the WebOS platform. I ran some tests based on WebOS 3.X, which is currently available for the HP TouchPad and is being opensourced as Open WebOS. Keep Reading →