hiding data/code in Android APK embedded signatures
flx at obfusk.net
Tue Jan 31 04:46:04 UTC 2023
We already know that embedded signatures  pose a challenge for
And it's not too hard to imagine a program detecting which key it's
signed with and changing its behaviour based on that; which I think is
But the Android APK Signature Scheme v2/v3  actually allows
embedding arbitrary data (or code) in the signing block, meaning that
two APKs with the exact same valid signature -- though not a
bit-by-bit identical signing block -- can behave differently.
I have written about my concerns  before, but now I've finally made
a PoC  for an Android app that reads the APK Signing block of its
own APK and extracts a payload to alter its behaviour.
Whether the payload is present or not does not affect the validity of
Thus we get two APKs -- with an identical valid v1+v2+v3 signature --
but one says "nothing to see here..." when you run it, whereas the
other says e.g. "This is the payload".
More information about the rb-general