hiding data/code in Android APK embedded signatures

FC Stegerman flx at obfusk.net
Wed Feb 1 01:59:41 UTC 2023 

* "David A. Wheeler" <dwheeler at dwheeler.com> [2023-02-01 01:38]:
> > On Jan 31, 2023, at 5:18 PM, FC Stegerman <flx at obfusk.net> wrote:
> > We must thus ask ourselves "what is the program's environment"?  I
> > think environment variables, date/time, etc. are obviously part of the
> > environment.  As is anything involving networking and remote files.
> >
> > That we also need to consider the embedded signature data -- even when
> > the actual signature is 100% identical (and equally valid) -- part of
> > the program's environment as well seems much less obvious to me.
> >
> > Which is why I am trying to inform people of this fact :)
>
> Fair enough. I discourage embedded signature data; I think it's wiser
> to have something-that-is-signed, and then wrap that (and other info)
> along with the relevant signatures.

Agreed.  And I often wish Android had used detached signatures.  Though
detached signatures would have made distributing APKs more challenging:
a single file is much more convenient for end users.

> The idea that adding a signature changes the thing that is signed
> seems broken; the signature is supposed to attest something
> about the thing signed. Merging them into one object leads to all sorts
> of strange conundrums like this.

Agreed.  Though I'm not convinced detached signatures are automatically
safe from this.

If e.g. Android had used the exact same signature scheme, just stored in
a separate file (that e.g. needs to be in the same directory and have
the same filename as the APK, but a different extension) instead of an
APK Signing Block in the APK itself, would the situation really be all
that different?

And are other systems using detached signatures that are available to
the program at runtime safe from this kind of behaviour?

( There is in fact an APK Signature Scheme v4 [1] that uses .apk.idsig
  detached signatures, but this "requires a complementary v2 or v3
  signature"; I haven't really looked at the details since v4 is not
  relevant for F-Droid/apksigcopier. )

- FC

[1] https://source.android.com/docs/security/features/apksigning/v4

More information about the rb-general mailing list