hiding data/code in Android APK embedded signatures
Orians, Jeremiah (DTMB)
OriansJ at michigan.gov
Wed Feb 1 16:45:06 UTC 2023
>> Agreed. And I often wish Android had used detached signatures.
>> Though detached signatures would have made distributing APKs more challenging:
>> a single file is much more convenient for end users.
> Sure, but the solution is trivial.
> Create something that you want signed ("item A").
> Sign it as many times as you want ("item signature-of-A-1, signature-of-A-2, etc.").
> Now wrap them up in another archive ("archive of item A, signature-of-A-1, signature-of-A-2, etc.").
>
> Now you have a "convenient single file download", where the signatures can be trivially used & checked. But, since
> the "item being signed" is clearly separable *without* having to understand the details of its format, it's easy to
> add new signatures, ensure that the signatures are valid, reproduce the item being signed, and so on.
>
> If you have to understand the nuances of the ELF or PE format to determine if a signature is valid, you've already failed.
Exactly correct.
Be it zipped or just tar'd (or an ar archive like Debian debs are)
- Jeremiah
More information about the rb-general
mailing list