hiding data/code in Android APK embedded signatures

FC Stegerman flx at obfusk.net
Tue Jan 31 22:18:55 UTC 2023

* Nicolas Vigier <boklm at mars-attacks.org> [2023-01-31 11:42]:
> On Tue, 31 Jan 2023, FC Stegerman wrote:
> > We already know that embedded signatures [1] pose a challenge for
> > reproducible builds.
> >
> > And it's not too hard to imagine a program detecting which key it's
> > signed with and changing its behaviour based on that; which I think is
> > inherently unavoidable.
> >
> > But the Android APK Signature Scheme v2/v3 [2] actually allows
> > embedding arbitrary data (or code) in the signing block, meaning that
> > two APKs with the exact same valid signature -- though not a
> > bit-by-bit identical signing block -- can behave differently.
> I think reproducible builds cannot prevent applications from
> intentionally behaving differently. Even without embedding data in
> signatures, an application can already check the hostname, username,
> environment variables, or fetch remote files to change its behaviour.

Yes.  I would assume that reproducible builds guarantee that a program
will always behave identically -- in an identical environment.  And
that we can thus conclude that when it does not, there must be
something different about said environment.

We must thus ask ourselves "what is the program's environment"?  I
think environment variables, date/time, etc. are obviously part of the
environment.  As is anything involving networking and remote files.

That we also need to consider the embedded signature data -- even when
the actual signature is 100% identical (and equally valid) -- part of
the program's environment as well seems much less obvious to me.

Which is why I am trying to inform people of this fact :)

- FC

More information about the rb-general mailing list