hiding data/code in Android APK embedded signatures

Orians, Jeremiah (DTMB) OriansJ at michigan.gov
Wed Feb 1 16:45:06 UTC 2023

>> Agreed.  And I often wish Android had used detached signatures.  
>> Though detached signatures would have made distributing APKs more challenging:
>> a single file is much more convenient for end users.
> Sure, but the solution is trivial.
> Create something that you want signed ("item A").
> Sign it as many times as you want ("item signature-of-A-1, signature-of-A-2, etc.").
> Now wrap them up in another archive ("archive of item A, signature-of-A-1, signature-of-A-2, etc.").
> Now you have a "convenient single file download", where the signatures can be trivially used & checked. But, since
> the "item being signed" is clearly separable *without* having to understand the details of its format, it's easy to 
> add new signatures, ensure that the signatures are valid, reproduce the item being signed, and so on.
> If you have to understand the nuances of the ELF or PE format to determine if a signature is valid, you've already failed.
Exactly correct.
Be it zipped or just tar'd (or an ar archive like Debian debs are)

- Jeremiah

More information about the rb-general mailing list