The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

Aug/13

30

Easy bypass to Android App signing discovered

Infosec Institute published an article showing in detail how application signing on Android devices can be defeated.

This trick allows the attacker to modify a signed application without causing the application to fail its signature check.

The attack works by exploiting a flaw in the way signed files in the .apk zip file are installed and verified. Most zip tools don’t allow duplicate file names, but the zip standard does support it. The problem is that, when confronted by such a situation the signature verification system and the installer do different things.

The signature verifier checks the first copy of a duplicated file, but the installer actually installs the last one.

So, if the first version of a file in the archive is the real one, then the package will check as valid, but then your evil second version actually gets installed and run.

This is another example of vulnerabilities hiding in places you least expect.

· · · ·

1 comment

  • Anonymous Jones · November 18, 2014 at 12:53 pm

    But when you reSign the apk it deletes the 2nd copy.

    Reply

Leave a Reply

<<

>>