I need to get the package signature, and I currently get it using this code:
Signature sigs c.getPackageManager() .getPackageInfo(c.getPackageName(), PackageManager.GET_SIGNATURES).signatures;
However, Android Studio gives me this warning:
Reading app signatures from getPackageInfo: The app signatures could be exploited if not validated properly; see issue explanation for details.
Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn’t have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.
What does it mean to validate the signatures in this case? I’m going to check the signatures against a server to make sure they match – is that what they mean?
In a local test, all it outputs is a single negative integer, and not an array as the code would have it.
Tracing the popup text leads to this source code fragment of Android Studio.
In the same file there is a line containing a link to the outern resource.
Further tracking leads to this presentation about the “Fake ID” vulnerability.
The problem is that when Android builds the chain-of-trust, the verification process only compares the ‘subject’ rather than comparing the actual key with the one provided within the details of the certificate’s signer. As a result, an attacker can tinker with the chain-of-trust and claim to be signed by a party – without the party actually signing.
Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.
Here is the commit to Android source code, that prevents using this vulnerability. That means if the device has Android 4.4 the problem is not happening. When running lower Android API devices, it might cause harm.
Answered By – R. Zagórski