Closed burakakyol closed 1 year ago
github-actions[bot]
commented
1 year ago đź‘‹ @burakakyol Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.
ajinabraham
commented
1 year ago Hi @burakakyol Thanks for the report. Can you share an APK to troubleshoot this?
burakakyol
commented
1 year ago Hi @ajinabraham ,
Due to company policy, I'm not able to share the APK. When we checked the source code, It seems AndroGuard just checks whether there is a . RSA file exists or not, in order to decide whether the apk has a v1 signature scheme.
Step 1
def is_signed_v1(self):
"""
Returns true if a v1 / JAR signature was found.
Returning `True` does not mean that the file is properly signed!
It just says that there is a signature file which needs to be validated.
"""
return self.get_signature_name() is not NoneStep 2
def get_signature_name(self):
"""
Return the name of the first signature file found.
"""
if self.get_signature_names():
return self.get_signature_names()[0]
else:
# Unsigned APK
return None Source Code  Step 3
def get_signature_names(self):
"""
Return a list of the signature file names (v1 Signature / JAR
Signature)
:rtype: List of filenames matching a Signature
"""
signature_expr = re.compile(r"^(META-INF/)(.*)(\.RSA|\.EC|\.DSA)$")
signatures = []
for i in self.get_files():
if signature_expr.search(i):
if "{}.SF".format(i.rsplit(".", 1)[0]) in self.get_files():
signatures.append(i)
else:
log.warning("v1 signature file {} missing .SF file - Partial signature!".format(i))
return signaturesAs you can see in the last function, the regex only checks if there are RSA, EC, and DSA extensions that v1 signature scheme needs in the apk. However, this doesn’t mean the apk is signed with v1 signature scheme.
In fact, If the minSdkVersion is greater than 24, the apksigner doesn’t need a v1 signature scheme. It directly signs the apk with v2,v3, or v4.
You can find the details in the main documentation. https://source.android.com/docs/security/features/apksigning
ajinabraham
commented
1 year ago Thanks for the detailed response. I will take a look at this as soon as I can.
julepka
commented
1 year ago I can confirm seeing the same issue at least at two different apps. I've noticed that each time it happened with apps with minimum Android version set to 7.0 (API level 24). MobSF showed that v1 signature is applied while apksigner showed that it is not.
ajinabraham
commented
1 year ago I need a sample APK with this behaviour to troubleshoot this. The locally tested APK looks good
minSdk 24
targetSdk 32MobSF v3.7.7
v1 signature: False
v2 signature: True
v3 signature: False
v4 signature: UnknownAPK signer
./apksigner verify --verbose app-release.apk
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1Anyways we are using apksigner to get signature information from now on. This should address the issue.
EXPLANATION OF THE ISSUE
We're getting wrong results from the static analyzer for signing schemes. While the static analyzer says the apk is signed by the v1 signature scheme, Android's analyzer tool says v1 is disabled. I wonder why we get different results. Which result is consistent to reporting?
In fact, The application doesn't support the v1 signing. So, we must be able to see the v1 signing as false.
build.gradle
MobSF Result:
Apksigner Result: Command:
Android/sdk/build-tools/29.0.3/apksigner verify --print-certs xxx.apkOutput:
STEPS TO REPRODUCE THE ISSUE
ENVIRONMENT