Bluebox Security reports how Android bypasses the application signature Authentication Vulnerability

I. Vulnerability descriptionSecurity company Bluebox Security recently claims that they have discovered vulnerabilities that may affect 99% devices in the Android system. According to this statement, this vulnerability has existed since Android 1.6 (Donut). malware makers can use it to modify the APK code without cracking the encrypted signature, attackers can bypass the signature verification Security Mechanism of android applications.Ii. affected devicesIn theory, it will affect all devices reported between Android 1.6 and google time.

Iii. Vulnerability principles
 

1. How can a malicious APK bypass the android signature verification mechanism without modifying the application signature.

Comparison before and after vulnerability repair: (luni/src/main/java/util/zip/ZipFile. java)

Before the vulnerability is fixed, Android did not consider the duplicate entryName In the APK compressed file, so that malicious software makers can create a specific APK package to bypass Android APK package certificate authentication.

The malicious APK package contains two entryName = "classes. dex files, the corresponding data are malicious. data and org. data, and malicious. data is located at org. before data.

In APK parsing, when the entryName is the same, the latter will overwrite the former information, so that the APK certificate signature verification process can be successfully passed.

2. How can I insert malicious. data to bypass the Android APK package certificate verification?

After the android apk package is verified, You need to request the installed process to optimize the code. The optimized code is the code loaded when the APP is running.

Dex optimization is completed in dalvik2 \ dexopt \ OptMain. cpp.

OptMain. cpp handles apk compressed files through dalvik2 \ libdex \ ZipArchiver. cpp.

By analyzing ZipArchiver. cpp Code, the underlying parsing of the APK package can have files with the same entryName, but will not overwrite, and when according to the file name classes. when dex extracts the compressed content, it always returns the data that matches the first name, so that we can insert malicious. data becomes the truly optimized code.

After the above two steps, the entire vulnerability can be exploited. (I have not actually verified the above logic)

 

Iv. POC codeOpen source POC: https://gist.github.com/poliva/36b0795ab79ad6f14fd8 5, related http://review.cyanogenmod.org/#/c/45251/ http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/ http://cn.engadget.com/2013/07/04/bluebox-reveals-android-security-vulnerability/

Original article: http://blog.csdn.net/jiazhijun/article/details/9280995