Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apk Metainfo Warning

Tags:

I see the below error when I tried to verify, if the .apk (andriod application)is signed or not.

I'm not sure what this error exactly means?

Is this raises any security concerns ?

root@kali:~/Downloads# apksigner verify --verbose magni_v1.2.8_apkpure.com.apk 
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Number of signers: 1
WARNING: META-INF/android.arch.core_runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/android.arch.lifecycle_livedata-core.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/android.arch.lifecycle_runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/android.arch.lifecycle_viewmodel.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/com.android.support_support-compat.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/com.android.support_support-core-ui.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/com.android.support_support-core-utils.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/com.android.support_support-fragment.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/com.android.support_support-media-compat.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/com.android.support_support-v4.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/rxjava.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

Thanks

like image 835
Sec Occ Avatar asked Aug 31 '18 21:08

Sec Occ


1 Answers

The signature of the APK guarantees that if a file is changed in the APK after it is signed, it can't be installed on an Android device (the signature would be invalidated).

The signature of the APK is stored in the META-INF directory of the APK, which means that if some other files are stored in the META-INF directory, they are not covered by the signature. The warning you see shows you some files in your APK that are in the META-INF directory not protected by the signature.

In practice, these files are not important, they're mostly versions of libraries you depend on (only the version number, not the actual code of those libraries which is already compiled in the dex code), so even if someone modified those, it wouldn't have any impact on your app. That's why it's only a warning: those files in your APK can be modified by someone else while still pretending that the APK is signed by you, but those files don't really matter.

This is quite a common thing within APKs, so I wouldn't worry about it.

like image 167
Pierre Avatar answered Oct 20 '22 19:10

Pierre