Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security alert: App contains embedded private keys or keystore files

Recently got a mail from Google:

This is a notification that your app(s) com.myapp, contains one or more private keys or keystore files embedded in its published apk as listed at the end of this email. These embedded items can be accessed by third parties, which can raise a variety of different security concerns depending on what the key is used for. For example, if the private key is the signing key for your application, a third party could sign and distribute apps that replace your authentic apps or corrupt them. Such a party could also sign and distribute apps under your identity.

As a general security practice, we strongly recommend against embedding private keys and keystore files in apps, even if the keys are password protected or obfuscated. The most effective way to protect your private key and keystore files is not to circulate them.

Please remove your private keys and keystore files from your app at your earliest convenience. Each app is different, but if you aren't sure how to locate the keys and keystore files in your app, you can try looking for files with the "keystore" file extension and grepping for "PRIVATE KEY". For more information about keeping your key secure, please see https://developer.android.com/tools/publishing/app-signing.html.

You have a responsibility as a developer to secure your private key properly, at all times. Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

To check if subsequent versions of your apps contain private keys, please see the Alerts section of the Google Play Developer Console at https://play.google.com/apps/publish/#AlertsPlace.

Affected apps and samples of embedded items: repack/org/bouncycastle/openssl/test/data/dsa/openssl_dsa_aes128_cbc.pem repack/org/bouncycastle/openssl/test/data/dsa/openssl_dsa_aes128_cfb.pem repack/org/bouncycastle/openssl/test/data/dsa/openssl_dsa_aes128_ecb.pem repack/org/bouncycastle/openssl/test/data/dsa/openssl_dsa_aes128_ofb.pem repack/org/bouncycastle/openssl/test/data/dsa/openssl_dsa_aes192_cbc.pem

I am using a library (jar file) which contains the above .pem files. These files have the keyword 'PRIVATE KEY'. I am not revealing my private key or keystore anywhere in the APK package. What can I do to address this issue? What change do I make to the JAR file or my app APK? Please help.

like image 791
varun Avatar asked Oct 07 '14 20:10

varun


People also ask

What is keystore in Android app?

The Android Keystore system lets you store cryptographic keys in a container to make them more difficult to extract from the device. Once keys are in the keystore, you can use them for cryptographic operations, with the key material remaining non-exportable.

What is a keystore file?

A keystore file contains one or more pairs of a private key and signed certificate for its corresponding public key. The keystore should be strongly protected with a password, and stored (either on the file system or elsewhere) so that it is accessible only to administrators.

Why keystore file is used?

As a security measure, Android requires that apps be signed in order to be installed. Signing an app first requires creating keystores. A keystore is a storage mechanism for security certificates. A public key certificate is used to sign an APK before deployment to services like the Google Play Store.


1 Answers

I got a very similar message from Google today regarding this. Upon investigation I found the same files you have listed in one of my jars. I have resolved this issue by deleting the whole openssl folder from the jar with the following console command.

zip --delete AFFECTEDJAR.jar "repack/org/bouncycastle/openssl/*"

I would suggest checking there are no java classing in that folder before you run this. In my case there was nothing but test data anyway.

Hope this helps.

like image 170
Cassie Avatar answered Sep 29 '22 00:09

Cassie