The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable brute force attacks that can result in forged digital signatures.
An attacker requires significantly less time to brute force a signing key with a short key length and can use the key to inject malware into trusted versions of apps, publish updates for the app that will be accepted by the OS as valid, or tarnish the publisher's brand.
Steps to Reproduce
The Keytool command can be used to verify the length of a key: keytool -list -v -keystore <key>
NowSecure's automated testing for this finding determines if the key used to sign the app is larger than 1024 bits.
Business Impact
Apps that have signing keys that have been forged can be used as a vector for fraud-related attacks as well as phishing attacks which can have significant reputational impact. An attacker can use a forged app update to modify the app without the developer's consent.
Remediation Resources
Recommended Fix
We recommend signing your app using a key with a length of at least 2048 bits (preferably 4096 bits) to provide optimum protection against forged digital signatures.
Keytool should be used to sign Android applications as described here: https://developer.android.com/studio/publish/app-signing. Use the parameter -keysize <size> to specify a longer key length than the 1024-bit default.
For apps that have already been signed, updating the key will require key rotation through the use of APK Signing Scheme Version 3:https://support.google.com/googleplay/android-developer/answer/9842756?hl=en.
Code Samples
Key Replacement Process (.bash)
In order to replace the key of an app that has already been created, a rotation must be done (this is a linked list of previous certs to tell other applications this new one can be trusted). Once it has been generated the new key must be added to the Google Play console to ensure that future builds that contain the new cert are accepted by the Play Store and app.
From Command Line
App Key Generation:
$ keytool -genkey -v -keystore my-key.keystore -alias alias_name -keyalg RSA -keysize 4096 -validity 10000
Debug Key Generation:
$ keytool -genkey -v -keystore debug.keystore -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 4096 -validity 10000
Evidence
#### Insecure Keys
| Key Size | Key Type | Issuer |
|---|---|---|
| 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee |
| 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee |
| 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee |
... and 9 more
Finding Description
The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable brute force attacks that can result in forged digital signatures. An attacker requires significantly less time to brute force a signing key with a short key length and can use the key to inject malware into trusted versions of apps, publish updates for the app that will be accepted by the OS as valid, or tarnish the publisher's brand.
Steps to Reproduce
The Keytool command can be used to verify the length of a key:
keytool -list -v -keystore <key>NowSecure's automated testing for this finding determines if the key used to sign the app is larger than 1024 bits.Business Impact
Apps that have signing keys that have been forged can be used as a vector for fraud-related attacks as well as phishing attacks which can have significant reputational impact. An attacker can use a forged app update to modify the app without the developer's consent.
Remediation Resources
Recommended Fix
We recommend signing your app using a key with a length of at least 2048 bits (preferably 4096 bits) to provide optimum protection against forged digital signatures. Keytool should be used to sign Android applications as described here: https://developer.android.com/studio/publish/app-signing. Use the parameter
-keysize <size>to specify a longer key length than the 1024-bit default. For apps that have already been signed, updating the key will require key rotation through the use of APK Signing Scheme Version 3:https://support.google.com/googleplay/android-developer/answer/9842756?hl=en.Code Samples
Key Replacement Process (.bash)
Additional Guidance
Risk and Regulatory Information
Severity: medium
CVSS: 5.9
Policy Category: Needs Remediation
Application
See more detail in the NowSecure Report
Evidence
#### Insecure Keys | Key Size | Key Type | Issuer | |---|---|---| | 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee | | 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee | | 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee | ... and 9 more