hiding data/code in Android APK embedded signatures
FC Stegerman
flx at obfusk.net
Fri Feb 3 14:13:59 UTC 2023
* Hans-Christoph Steiner <hans at guardianproject.info> [2023-02-03 07:58]:
> This W3C MiniApp format sounds a lot like JAR signatures, aka APK v1
> signatures. Although not an ideal format, it is at least well understood
> and explored.
Actually, "between the final entry and the zip's central directory" is
exactly where the APK Signing Block is as well. So it sounds more
like a v2/v3 signature in that respect.
Though it sounds like it doesn't contain a signature for all the bytes
in the ZIP (apart from the signature itself), but individual
signatures for the files, which is indeed how v1 signatures work.
> As for some background on why APK v2/v3 signatures have this spot to stick
> data in the signing block, the Android team developed a scheme for app
> stores to sign all APKs that they ship. Then devices can have the public
> key for the app store built into the device, and there can be requirements
> that all installed APKs are also signed by this external key. This extra
> signature goes into this data space in the APK signature, if I am not
> mistaken. It has to be external to the signed content because at the time
> it was implemented, Google Play did not have the sources nor the ability to
> sign APKs with the developers' keys.
That explains why there is some space. Not why there is this much
space, with zero constraints on what can be put in there.
I do understand the need to leave room for new signature schemes (like
the later v3 and v3.1), so I understand not being able to completely
lock down what can be put in there. But now you can just put anything
in there.
In fact, I just put the entire F-Droid APK into the verity padding
block of another APK; apksigner says it's still verified.
> It is funny because APK v2 was developed because JAR/APKv1 allowed too much
> flexibility to add stuff outside of the signature (e.g. the whole META-INF/
> directory). But then I guess they realized that they needed some way to add
> external data after all.
Despite all the
WARNING: META-INF/some/file not protected by signature. Unauthorized
modifications to this JAR entry will not be detected. Delete or move
the entry outside of META-INF/.
warnings that apksigner produces, those files are in fact always
listed in the .MF and .SF and thus covered by the v1 signature in my
experience (e.g. when I implemented v1 verification and signing for
apksigtool).
But the v1 signature doesn't cover the space between entries or their
metadata, leaving plenty of space to hide things.
- FC
More information about the rb-general
mailing list