NowSecure static analysis: Key Used to Publish App is Potentially Forgeable

jnowsecure commented 9 months ago

Finding Description

The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable brute force attacks that can result in forged digital signatures. An attacker requires significantly less time to brute force a signing key with a short key length and can use the key to inject malware into trusted versions of apps, publish updates for the app that will be accepted by the OS as valid, or tarnish the publisher's brand.

Steps to Reproduce

The Keytool command can be used to verify the length of a key: keytool -list -v -keystore <key> NowSecure's automated testing for this finding determines if the key used to sign the app is larger than 1024 bits.

Business Impact

Apps that have signing keys that have been forged can be used as a vector for fraud-related attacks as well as phishing attacks which can have significant reputational impact. An attacker can use a forged app update to modify the app without the developer's consent.

Remediation Resources

Recommended Fix

We recommend signing your app using a key with a length of at least 2048 bits (preferably 4096 bits) to provide optimum protection against forged digital signatures. Keytool should be used to sign Android applications as described here: https://developer.android.com/studio/publish/app-signing. Use the parameter -keysize <size> to specify a longer key length than the 1024-bit default. For apps that have already been signed, updating the key will require key rotation through the use of APK Signing Scheme Version 3:https://support.google.com/googleplay/android-developer/answer/9842756?hl=en.

Code Samples

Key Replacement Process (.bash)

In order to replace the key of an app that has already been created, a rotation must be done (this is a linked list of previous certs to tell other applications this new one can be trusted). Once it has been generated the new key must be added to the Google Play console to ensure that future builds that contain the new cert are accepted by the Play Store and app.

From Command Line
App Key Generation:
$ keytool -genkey -v -keystore my-key.keystore -alias alias_name -keyalg RSA -keysize 4096 -validity 10000

Debug Key Generation:
$ keytool -genkey -v -keystore debug.keystore -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 4096 -validity 10000

Additional Guidance

This resource provides information about the Android Keystore System and provides details on how to use https://developer.android.com/training/articles/keystore
This resource details different ways of signing an app with a key/keystore and walks through ways to have Android Studio automatically sign the app and have it managed by Google https://developer.android.com/studio/publish/app-signing#generate-key
This article provides information on key rotation https://source.android.com/security/apksigning/v3#proof-of-rotation-and-self-trusted-old-certs-structs

Risk and Regulatory Information

Severity: medium

CVSS: 5.9

Policy Category: Needs Remediation

CWE: 310, 326
NIAP: FPT_TUD_EXT.1.6, FCS_COP.1.1(3)
FISMA LOW: SC-13 CRYPTOGRAPHIC PROTECTION
FISMA MED: SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
Risk OWASP: MSTG-CODE-1 (OWASP MASVS v1.5.0), MASVS-RESILIENCE-2 (OWASP MASVS v2.0.0)
GDPR: Risks violating Article 25, Risks violating Article 32
FFIEC: May violate D3.PC.Se.Int.3
PCI: May violate requirement 3.6.1
HIPAA: May violate §164.312(a)(1): Standard: Access control.
CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII
CWE Top 25: 2021 CWE Top 25 Most Dangerous Software Errors

Application

Platform: android
Package: com.accuweather.android

See more detail in the NowSecure Report

Evidence

#### Insecure Keys | Key Size | Key Type | Issuer | |---|---|---| | 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee | | 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee | | 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee | ... and 9 more

jnowsecure commented 9 months ago

Update: This finding has been marked as resolved by Moi, Edwin. No additional action is required.

Powered by NowSecure Platform

jnowsecure commented 9 months ago

Update: This finding has been marked as no longer resolved by Moi, Edwin. Additional action is required.

Powered by NowSecure Platform

jnowsecure commented 9 months ago

Update: This finding has been dismissed by Moi, Edwin with reason "false positive". No additional action is required.

Powered by NowSecure Platform

jnowsecure commented 9 months ago

Update: This finding has been marked as no longer dismissed by Moi, Edwin. Additional action is required.

Powered by NowSecure Platform

jnowsecure commented 9 months ago

Update: This finding has been dismissed by Moi, Edwin with reason "false positive". No additional action is required.

Powered by NowSecure Platform

jnowsecure commented 9 months ago

Update: This finding has been marked as no longer dismissed by Moi, Edwin. Additional action is required.

Powered by NowSecure Platform

jnowsecure commented 9 months ago

Update: This finding has been dismissed by Moi, Edwin with reason "non production code". No additional action is required.

Powered by NowSecure Platform

edwindwalker / edwinwalker