Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Android Studio warning when using PackageManager.GET_SIGNATURES

Tags:

android

android-studio

android-studio-2.1

I need to get the package signature, and I currently get it using this code:

Signature[] sigs = c.getPackageManager()
                        .getPackageInfo(c.getPackageName(),
                                        PackageManager.GET_SIGNATURES).signatures;

However, Android Studio gives me this warning:

Reading app signatures from getPackageInfo: The app signatures could be exploited if not validated properly; see issue explanation for details.

Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn't have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.

What does it mean to validate the signatures in this case? I'm going to check the signatures against a server to make sure they match - is that what they mean?

In a local test, all it outputs is a single negative integer, and not an array as the code would have it.

like image 383
Zoe stands with Ukraine Avatar asked Aug 28 '16 15:08

Zoe stands with Ukraine

1 Answers

Tracing the popup text leads to this source code fragment of Android Studio.
In the same file there is a line containing a link to the outern resource.
Further tracking leads to this presentation about the "Fake ID" vulnerability.

Description of a problem:

The problem is that when Android builds the chain-of-trust, the verification process only compares the ‘subject’ rather than comparing the actual key with the one provided within the details of the certificate’s signer. As a result, an attacker can tinker with the chain-of-trust and claim to be signed by a party – without the party actually signing.

Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.

Here is the commit to Android source code, that prevents using this vulnerability. That means if the device has Android 4.4 the problem is not happening. When running lower Android API devices, it might cause harm.

like image 167
R. Zagórski Avatar answered Oct 20 '22 10:10

R. Zagórski
Sign in to Comment

Related questions

android.text.format.DateFormat "HH" is not recognized like with java.text.SimpleDateFormat
How can I access the alpha version of my Android app on Google Play?
Do old GCM tokens live on even after an uninstall?
Get the screen height in Android
Android Studio .2.2 and Gradle package does not exist
How to create PDF from webview in android?
Installing Android app on device from Android Studio
How to listen contact inserted/updated/deleted in address book
Android Text should appear both side in the Switch
Can't Play video in android uploaded from iphone
How can I disable the preloading in a viewpager?
Android deep linking - Back stack
How to programmatically set a lock or pin for an app
Preview of widget not showing correct image after update
Recording Live OpenCV Processing on Android
Android: how to log all Activity methods calls?
Package names for domains which end in .do
How to update UI from Android service using RxJava/RxAndroid
What is the new generated code "This was auto-generated to implement the App Indexing API."?
VectorDrawable image becomes pixelated

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!