hiding data/code in Android APK embedded signatures

FC Stegerman flx at obfusk.net
Wed Feb 1 18:40:11 UTC 2023

* Marc Prud'hommeaux [2023-02-01 18:12]:
> I recently noticed a similar vulnerability in the W3C MiniApp
> packaging draft [...]

Interesting, thanks for the info!

> But in the context of an Android app, where it sounds like it has
> runtime access to the original .apk artifact and signing data, this
> could have more serious implications. How much space is available
> for abuse in the signing block? Could you embed an entire additional
> .apk in there?

As far as I know the only size limitation is imposed by the use of a
uint64 for the size of the block and the pairs in it [1].  So you can
embed plenty in there.

Android hopefully has some protections against running native code
directly from the signing block, but I think embedding e.g. an entire
alternative JavaScript app bundle for a react native app would be
fairly trivial to do.

- FC

P.S. interleaved/bottom posting [2] makes threads on mailing lists
like these a lot easier to read than top-posting :)

[1] https://source.android.com/docs/security/features/apksigning/v2#apk-signing-block-format
[2] https://en.wikipedia.org/wiki/Posting_style

More information about the rb-general mailing list