hiding data/code in Android APK embedded signatures

David A. Wheeler dwheeler at dwheeler.com
Wed Feb 1 16:20:57 UTC 2023

> On Jan 31, 2023, at 8:59 PM, FC Stegerman <flx at obfusk.net> wrote:
> Agreed.  And I often wish Android had used detached signatures.  Though
> detached signatures would have made distributing APKs more challenging:
> a single file is much more convenient for end users.

Sure, but the solution is trivial.

Create something that you want signed ("item A").
Sign it as many times as you want ("item signature-of-A-1, signature-of-A-2, etc.").
Now wrap them up in another archive ("archive of item A, signature-of-A-1,
signature-of-A-2, etc.").

Now you have a "convenient single file download", where the signatures
can be trivially used & checked. But, since the "item being signed" is
clearly separable *without* having to understand the details of its format,
it's easy to add new signatures, ensure that the signatures are valid,
reproduce the item being signed, and so on.

If you have to understand the nuances of the ELF or PE format to determine
if a signature is valid, you've already failed.

--- David A. Wheeler

More information about the rb-general mailing list