hiding data/code in Android APK embedded signatures

Nicolas Vigier boklm at mars-attacks.org
Tue Jan 31 10:42:38 UTC 2023

On Tue, 31 Jan 2023, FC Stegerman wrote:

> Hi!
> We already know that embedded signatures [1] pose a challenge for
> reproducible builds.
> And it's not too hard to imagine a program detecting which key it's
> signed with and changing its behaviour based on that; which I think is
> inherently unavoidable.
> But the Android APK Signature Scheme v2/v3 [2] actually allows
> embedding arbitrary data (or code) in the signing block, meaning that
> two APKs with the exact same valid signature -- though not a
> bit-by-bit identical signing block -- can behave differently.

I think reproducible builds cannot prevent applications from
intentionally behaving differently. Even without embedding data in
signatures, an application can already check the hostname, username,
environment variables, or fetch remote files to change its behaviour.


More information about the rb-general mailing list