hiding data/code in Android APK embedded signatures
flx at obfusk.net
Wed Feb 1 18:40:11 UTC 2023
* Marc Prud'hommeaux [2023-02-01 18:12]:
> I recently noticed a similar vulnerability in the W3C MiniApp
> packaging draft [...]
Interesting, thanks for the info!
> But in the context of an Android app, where it sounds like it has
> runtime access to the original .apk artifact and signing data, this
> could have more serious implications. How much space is available
> for abuse in the signing block? Could you embed an entire additional
> .apk in there?
As far as I know the only size limitation is imposed by the use of a
uint64 for the size of the block and the pairs in it . So you can
embed plenty in there.
Android hopefully has some protections against running native code
directly from the signing block, but I think embedding e.g. an entire
fairly trivial to do.
P.S. interleaved/bottom posting  makes threads on mailing lists
like these a lot easier to read than top-posting :)
More information about the rb-general