[guardian-dev] security issues of publishing private package signing key

Chris Kuethe chris.kuethe at gmail.com
Tue Jan 14 18:31:32 EST 2014


That happened to Vignette a few years ago...

http://web.archive.org/web/20130822070055/https://sites.google.com/site/neilandtheresa/Vignette#footnote

"""
* All applications on the Android Market must be digitally signed
using a cryptographic key owned by the developer. Google provide a
"test key" to use during development, but applications signed using
this key are not supposed to be published on the Android Market.
However, we accidentally did exactly that, and our error went
unnoticed for over a year. Recently, Google made some changes to the
Android Market to prevent this happening, and in doing so stopped us
from updating the apps we had already published. Google have not
replied to our e-mails on the subject. Another developer has posted
the replies they received from Google:

Thanks for writing in. We apologize for the inconsistent error
messaging. As you have discovered, we've detected that your apps have
been signed with test keys published in the Android Market Developer
web site.
Publishing test-key signed applications can cause serious security
issues on several devices. You should unpublish any test-keys signed
apps as soon as possible, as Android Market will administratively
suspend these applications in the near future.
To remedy this issue, developers will need to republish their
applications with a new, securely generated set of keys. This means
you will need to have a new package name.
Developers can not sign the same application name twice as it
circumvents the implicit security model of signing.
The users, ratings, and stats from your prior application with the
test-keys can not transfer to the new application. We understand this
is not an ideal situation and we have made changes to prevent
developers from publishing applications in this state going forward.
We appreciate your assistance.

... and:

Thank you for your reply. At this time, there is no method available
to transfer new keys to users for a given app. As mentioned
previously, you'll need to generate a new instance of the application
and publish it to Market.
All test-keys signed applications will eventually be administratively
unpublished or suspended from Android Market.
"""

On Tue, Jan 14, 2014 at 2:51 PM, Jonas Smedegaard <dr at jones.dk> wrote:
> Hi,
>
> Does anyone here know what are the security implications of compiling
> Android using the demo keypair shipped with it - effectively releasing
> APKs signed with a key that has its private key "leaked"?
>
>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/chris.kuethe%40gmail.com
>
> You are subscribed as: chris.kuethe at gmail.com
>



-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?


More information about the Guardian-dev mailing list