hiding data/code in Android APK embedded signatures

Marc Prud'hommeaux marc at prux.org
Wed Feb 1 20:39:44 UTC 2023

> On Feb 1, 2023, at 13:40, FC Stegerman <flx at obfusk.net> wrote:
> * Marc Prud'hommeaux [2023-02-01 18:12]:
>> I recently noticed a similar vulnerability in the W3C MiniApp
>> packaging draft [...]
> Interesting, thanks for the info!
>> But in the context of an Android app, where it sounds like it has
>> runtime access to the original .apk artifact and signing data, this
>> could have more serious implications. How much space is available
>> for abuse in the signing block? Could you embed an entire additional
>> .apk in there?
> As far as I know the only size limitation is imposed by the use of a
> uint64 for the size of the block and the pairs in it [1].  So you can
> embed plenty in there.
> Android hopefully has some protections against running native code
> directly from the signing block, but I think embedding e.g. an entire
> alternative JavaScript app bundle for a react native app would be
> fairly trivial to do.

AFAIK nothing stops you from loading Dalvik bytecode using a DexClassLoader[1]. Unlike executable pages on iOS, which cannot be loaded unless they are signed, there's nothing[2] stopping an Android app from executing arbitrary bytecode it gets from wherever.


[1] https://developer.android.com/reference/dalvik/system/DexClassLoader : “A class loader that loads classes from .jar and .apk files containing a classes.dex entry. This can be used to execute code not installed as part of an application.”

[2] other than the policies of the distribution channel, such as: “An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play.” – https://support.google.com/googleplay/android-developer/answer/9888379?hl=en

> - FC
> P.S. interleaved/bottom posting [2] makes threads on mailing lists
> like these a lot easier to read than top-posting :)
> [1] https://source.android.com/docs/security/features/apksigning/v2#apk-signing-block-format
> [2] https://en.wikipedia.org/wiki/Posting_style

More information about the rb-general mailing list