Techly NewsGet the app

Get the latest tech news

F-Droid Fake Signer PoC


F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.

The accompanying German article "Android-Apps auf dem Seziertisch: Eine vertiefte Betrachtung" [8] points out that we noticed that apksigner and androguard handle duplicate signing blocks rather differently: the former only sees the first, the latter only the last, which allows all kinds of shenanigans. Instead of adopting the fixes we proposed, F-Droid wrote and merged their own patch [10], ignoring repeated warnings it had significant flaws (including an incorrect implementation of v1 signature verification and making it impossible to have APKs with rotated keys in a repository). NB: in light of all of the above we reiterate that we strongly recommend using the official apksig library (used by apksigner) to both verify APK signatures and return the first signer's certificate to avoid these kind of implementation mistakes and inconsistencies and thus further vulnerabilities.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of F-Droid Fake Signer

F-Droid Fake Signer

B-Trees: More Than I Thought I'd Want to Know »