hiding data/code in Android APK embedded signatures

Orians, Jeremiah (DTMB) OriansJ at michigan.gov
Wed Feb 1 23:48:46 UTC 2023

> Last I checked, CVE-2007-4559 is still not fixed; and surely not the only unfixed (let alone currently unknown) 
> such vulnerability that may suddenly become a problem when you switch to a scheme where you need to
> unpack an archive before you can verify the authenticity of its contents.
Ok, I propose the following archive format which is immune from all such classes of attacks:
A gpg --armor crypto-signature of your choice
4 null bytes (just in case we want to extend this scheme; otherwise a single null byte will do)
A base64 of any archive format you want

Can be produced via cat
The signature only covers the base64 contents
The unpacker needs only support the following logic:
Read bytes until you hit the first null and dump contents into ${original_filename}.sig; skip the 4 null bytes and
dump rest of file into ${original_filename}.contents

You can now use a separate signature to validate a separate file; that was distributed as a single file in a format
that doesn't not contain any logic or condition beyond the null split.

Now the only dangers exist in your signature itself, chain of trust, etc and I'm not solving that.


More information about the rb-general mailing list