edwindwalker / edwinwalker

Personal site
0 stars 0 forks source link

NowSecure static analysis: Key Used to Publish App is Potentially Forgeable #22

Closed edwindwalker closed 9 months ago

edwindwalker commented 2 years ago

Finding Description

The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable brute force attacks that can result in forged digital signatures. An attacker requires significantly less time to brute force a signing key with a short key length and can use the key to inject malware into trusted versions of apps, publish updates for the app that will be accepted by the OS as valid, or tarnish the publisher's brand.

Steps to Reproduce

The Keytool command can be used to verify the length of a key: keytool -list -v -keystore <key> NowSecure's automated testing for this finding determines if the key used to sign the app is larger than 1024 bits.

Business Impact

Apps that have signing keys that have been forged can be used as a vector for fraud-related attacks as well as phishing attacks which can have significant reputational impact. An attacker can use a forged app update to modify the app without the developer's consent.

Remediation Resources

Recommended Fix

We recommend signing your app using a key with a length of at least 2048 bits (preferably 4096 bits) to provide optimum protection against forged digital signatures. Keytool should be used to sign Android applications as described here: https://developer.android.com/studio/publish/app-signing. Use the parameter -keysize <size> to specify a longer key length than the 1024-bit default. For apps that have already been signed, updating the key will require key rotation through the use of APK Signing Scheme Version 3:https://support.google.com/googleplay/android-developer/answer/9842756?hl=en.

Code Samples

Key Replacement Process (.bash)

In order to replace the key of an app that has already been created, a rotation must be done (this is a linked list of previous certs to tell other applications this new one can be trusted). Once it has been generated the new key must be added to the Google Play console to ensure that future builds that contain the new cert are accepted by the Play Store and app.

From Command Line
App Key Generation:
$ keytool -genkey -v -keystore my-key.keystore -alias alias_name -keyalg RSA -keysize 4096 -validity 10000

Debug Key Generation:
$ keytool -genkey -v -keystore debug.keystore -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 4096 -validity 10000

Additional Guidance

Risk and Regulatory Information

Severity: medium CVSS: 5.9

Application

See more detail in the NowSecure Report