hiding data/code in Android APK embedded signatures
David A. Wheeler
dwheeler at dwheeler.com
Wed Feb 1 00:38:06 UTC 2023
> On Jan 31, 2023, at 5:18 PM, FC Stegerman <flx at obfusk.net> wrote:
> ...
>
> We must thus ask ourselves "what is the program's environment"? I
> think environment variables, date/time, etc. are obviously part of the
> environment. As is anything involving networking and remote files.
>
> That we also need to consider the embedded signature data -- even when
> the actual signature is 100% identical (and equally valid) -- part of
> the program's environment as well seems much less obvious to me.
>
> Which is why I am trying to inform people of this fact :)
Fair enough. I discourage embedded signature data; I think it's wiser
to have something-that-is-signed, and then wrap that (and other info)
along with the relevant signatures.
The idea that adding a signature changes the thing that is signed
seems broken; the signature is supposed to attest something
about the thing signed. Merging them into one object leads to all sorts
of strange conundrums like this.
--- David A. Wheeler
More information about the rb-general
mailing list