[guardian-dev] Bazaar/F-Droid: Two-tap vs One-tap provisioning

Daniel McCarney daniel at binaryparadox.net
Tue Mar 25 14:28:59 EDT 2014


On 25/03, Michael Rogers wrote:
> On 20/03/14 13:22, Nathan of Guardian wrote:
> > 1) Injecting data into the APK in a way that doesn't cause problems
> > with the built-in signature (which isn't a signature of the whole
> > APK/JAR file, just the relevant android bits).
> 
> I'm slightly alarmed that this is possible. Which parts of the APK are
> vulnerable to injection?

I just did some simple experiments to figure out the answer to this.
I haven't tested across versions to confirm these findings are
universal.

tl;dr - you can add unsigned files to the META-INF directory of a signed
APK and it will still verify at the command line with 'jarsigner
-verify' and it will install on an unmodified Android device without
error.

To test I exported an unsigned Kerplapp APK from Eclipse. I signed this
APK by creating a new test keystore & key using keytool. Using that
keystore I used jarsigner to sign the APK for installation. After doing
this and verifying that the signed APK installed on my device I added
a new TXT file to the META-INF Directory of the signed apk using the zip
tool's -u flag. Running jarsigner -verify on this modified APK results
in "jar verified", but with a warning saying:

  "This jar contains unsigned entries which have not been
  integrity-checked"

Again, the jar *did* verify, the warning is not fatal. Using jarsigner
in a 'strict' verification mode results in "jar verified, with signer
errors" and the above warning is now considered an error. Odd that the
phrasing is 'jar verified, but <errors>'...

What about Android? Will it install the signed APK with the unsigned
META-INF entry? Yup. No warnings whatsoever installing the APK to device
using 'adb install' (once the previous test version was uninstalled of
course).

The next logical question is whether or not you can put a new file in
*any* part of the zip, or just the META-INF directory. I added another
.txt file to the signed APK (again using zip -u), but this time I put it
in the root of the APK instead of the META-INF dir. This resulted in the
same behaviour from jarsigner (i.e a warning about the unsigned
entries). Trying to install this APK on an Android device results in the
following error from 'adb install':

  "Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]"

It's an odd error message given that I was able to verify the APK using
jarsigner.

So, the take-away:
  * You add a file anywhere to a signed APK and it will verify (with
    (varying warning/error level based on settings) using jarsigner
  * If you add an unsigned file to the META-INF directory, it will
    install cleanly on Android
  * If you add an unsigned file to the rest of the APK, it will fail
    to install on Android.

I have a console log of my input/output I can provide if anyone wants to
try and reproduce the experiment.

- Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 620 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140325/8cd30b28/attachment.pgp>


More information about the Guardian-dev mailing list