APK signature verification bypass-vulnerability warning-the black bar safety net

2014-12-13T00:00:00
ID MYHACK58:62201456888
Type myhack58
Reporter 佚名
Modified 2014-12-13T00:00:00

Description

0x01 Android signature mechanism


The APK rename it to zip file, then you can see there's a META-INF folder, inside there are three files, called MANIFEST. MF, CERT. SF and CERT. RSA, which is to use signapk. jar to generate the signature file.

1, the MANIFEST. MF file:

The program loops through the update. apk package all the files(entry) on a non-folder non-signature files one-by-one to generate the SHA1 digital signature information, and then Base64 encoded. Specific code, see this method:

|

1

|

private static Manifest addDigestsToManifest(JarFile jar)

---|---

The key code is

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

|

for (JarEntry entry: byName. values()) {

String name = entry. getName();

if (! entry. isDirectory() && ! name. equals(JarFile. MANIFEST_NAME) &&

! name. equals(CERT_SF_NAME) && ! name. equals(CERT_RSA_NAME) &&

(stripPattern == null ||! stripPattern. matcher(name). the matches())){

InputStream data = jar. getInputStream(entry);

while ((num = data. read(buffer)) > 0) {

md. update(buffer, 0, num);

}

Attributes attr = null;

if (input != null) attr = input. getAttributes(name);

attr = attr != null ? new Attributes(attr) : new Attributes();

attr. putValue("SHA1-Digest", base64. encode(md. digest()));

output. getEntries(). put(name, attr);

}

}

---|---

[1] [2] [3] [4] [5] [6] [7] next