hiding data/code in Android APK embedded signatures

David A. Wheeler dwheeler at dwheeler.com
Wed Feb 1 00:38:06 UTC 2023

> On Jan 31, 2023, at 5:18 PM, FC Stegerman <flx at obfusk.net> wrote:
> ...
> We must thus ask ourselves "what is the program's environment"?  I
> think environment variables, date/time, etc. are obviously part of the
> environment.  As is anything involving networking and remote files.
> That we also need to consider the embedded signature data -- even when
> the actual signature is 100% identical (and equally valid) -- part of
> the program's environment as well seems much less obvious to me.
> Which is why I am trying to inform people of this fact :)

Fair enough. I discourage embedded signature data; I think it's wiser
to have something-that-is-signed, and then wrap that (and other info)
along with the relevant signatures.

The idea that adding a signature changes the thing that is signed
seems broken; the signature is supposed to attest something
about the thing signed. Merging them into one object leads to all sorts
of strange conundrums like this.

--- David A. Wheeler

More information about the rb-general mailing list