Your application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. Short key lengths may be vulnerable to brute force attacks and allow an attacker, with access to this key, to inject malware into trusted versions of apps, or tarnish the publishers brand. When signed with a short key length, an attacker will require significantly less time to crack your signing key. Once an attacker has access to the key, they may publish updates for your app that will accepted by the OS as valid.
Recommendation
We recommend signing your app using a key with a length of at least 2048
bits (preferably 4096 bits) to provide optimum protection against forged
digital signatures. Keytool, used to sign Android applications as described
here: http://developer.android.com/tools/publishing/app-signing.html,
can be used with the parameter -keysize to specify a longer key
length than the 1024-bit default.
Summary
Your application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. Short key lengths may be vulnerable to brute force attacks and allow an attacker, with access to this key, to inject malware into trusted versions of apps, or tarnish the publishers brand. When signed with a short key length, an attacker will require significantly less time to crack your signing key. Once an attacker has access to the key, they may publish updates for your app that will accepted by the OS as valid.
Recommendation
We recommend signing your app using a key with a length of at least 2048 bits (preferably 4096 bits) to provide optimum protection against forged digital signatures. Keytool, used to sign Android applications as described here: http://developer.android.com/tools/publishing/app-signing.html, can be used with the parameter -keysize to specify a longer key
length than the 1024-bit default.
Risk and Regulatory Information
Severity: medium CVSS: 5.9
Application
See more detail in the NowSecure Report