search

edwindwalker / edwinwalker

Personal site
0 stars 0 forks source link

NowSecure static analysis: Key Used to Publish App is Potentially Forgeable #45

Open jnowsecure opened 1 month ago

jnowsecure commented 1 month ago

Finding Description

At least one key that was used to sign the app is too short to be considered secure.

The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to brute force attacks resulting in forged digital signatures. An attacker requires significantly less time to brute force a signing key with a short key length. Insecure keys can be exploited to inject malware into trusted versions of apps, publish updates that will be accepted by the OS as valid, or tarnish the publisher's brand.

The minSdkVersion of an app, indicated in the AndroidManifest.xml, determines the signing version that will be used. The signing version specifies the key length that is used during the signing process.

For example, if your app supports minSdkVersion of 24 and is installed on Android 7.0 device, it will use an insecure v2 signing version for verification.

Steps to Reproduce

This test checks that all keys used to sign the app are larger than 1024 bits.

Business Impact

Apps with forged signing keys can be used as a vector for fraud and phishing attacks which can have significant reputational impact. An attacker can use leverage forged app updates to modify an app without the developer's consent.

Remediation Resources

Recommended Fix

You can use Keytool to verify the length of your keys with keytool -list -v -keystore <key>.

For optimal protection, apps should be signed by a key with a length of at least 2048 (preferably 4096) bits. You can use Keytool with the -keysize <size> parameter to specify a key length longer than the 1024-bit default. For apps that have already been signed, updating the key will require key rotation.

Code Samples

Key Replacement Process (.bash)

In order to replace the key of an app that has already been created, a rotation must be done (this is a linked list of previous certs to tell other applications this new one can be trusted). Once it has been generated the new key must be added to the Google Play console to ensure that future builds that contain the new cert are accepted by the Play Store and app.

From Command Line
App Key Generation:
$ keytool -genkey -v -keystore my-key.keystore -alias alias_name -keyalg RSA -keysize 4096 -validity 10000

Debug Key Generation:
$ keytool -genkey -v -keystore debug.keystore -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 4096 -validity 10000

Additional Guidance

Risk and Regulatory Information

Severity: medium

CVSS: 5.9

Policy Category: Needs Remediation

Application

See more detail in the NowSecure Report

Evidence #### Insecure Keys | Key Size | Key Type | Issuer | |---|---|---| | 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee | | 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee | | 1024 | rsa | /C=US/ST=PA/L=State College/O=AccuWeather.com/OU=Research and Development, New Media/CN=Harrison Lee | ... and 9 more
jnowsecure commented 1 month ago

Update: This finding has been marked as resolved by Jack N (Integration). No additional action is required.

Powered by NowSecure Platform

jnowsecure commented 1 month ago

Update: This finding has been marked as no longer resolved by Jack N (Integration). Additional action is required.

Powered by NowSecure Platform