Android Studio warning when using PackageManager.GET_SIGNATURES - McMap

About

Android Studio warning when using PackageManager.GET_SIGNATURES

Asked 28/8, 2016 at 15:25 Answered 6/9, 2016 at 11:46

Solved android android-studio android-studio-2.1

I

1

17

I need to get the package signature, and I currently get it using this code:

Signature[] sigs = c.getPackageManager()
                        .getPackageInfo(c.getPackageName(),
                                        PackageManager.GET_SIGNATURES).signatures;

However, Android Studio gives me this warning:

Reading app signatures from getPackageInfo: The app signatures could be exploited if not validated properly; see issue explanation for details.

Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn't have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.

What does it mean to validate the signatures in this case? I'm going to check the signatures against a server to make sure they match - is that what they mean?

In a local test, all it outputs is a single negative integer, and not an array as the code would have it.

Ionize answered 28/8, 2016 at 15:25 Comment(1)

I have filed an issue asking for real docs for this sort of thing. I would assume that so long as your algorithm for "check the signatures" is decent, that you should be OK. But, since I am not clear what they are warning about, I cannot be certain. – Sought 28/8, 2016 at 15:47

A

20

Tracing the popup text leads to this source code fragment of Android Studio.
In the same file there is a line containing a link to the outern resource.
Further tracking leads to this presentation about the "Fake ID" vulnerability.

Description of a problem:

The problem is that when Android builds the chain-of-trust, the verification process only compares the ‘subject’ rather than comparing the actual key with the one provided within the details of the certificate’s signer. As a result, an attacker can tinker with the chain-of-trust and claim to be signed by a party – without the party actually signing.

Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.

Here is the commit to Android source code, that prevents using this vulnerability. That means if the device has Android 4.4 the problem is not happening. When running lower Android API devices, it might cause harm.

Archibaldo answered 6/9, 2016 at 11:46 Comment(2)

So it is a known bug that can cause the certificate to be compromised. Is it "automatically" fixed or is there further code that has to be added to solve/protect against it? – Ionize 6/9, 2016 at 15:41

Since KitKat, no problems with certificate chain replace or modification should arise. But If you really would like to check the certificate fingerprint of a package have a look at this (might be helpful on lower API devices). – Flavorsome 6/9, 2016 at 20:22

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.