Bluebox Security reports how Android bypasses the application signature Authentication Vulnerability

Source: Internet
Author: User

I. Vulnerability descriptionSecurity company Bluebox Security recently claims that they have discovered vulnerabilities that may affect 99% devices in the Android system. According to this statement, this vulnerability has existed since Android 1.6 (Donut). malware makers can use it to modify the APK code without cracking the encrypted signature, attackers can bypass the signature verification Security Mechanism of android applications.Ii. affected devicesIn theory, it will affect all devices reported between Android 1.6 and google time.

Iii. Vulnerability principles
 

1. How can a malicious APK bypass the android signature verification mechanism without modifying the application signature.

Comparison before and after vulnerability repair: (luni/src/main/java/util/zip/ZipFile. java)

Before the vulnerability is fixed, Android did not consider the duplicate entryName In the APK compressed file, so that malicious software makers can create a specific APK package to bypass Android APK package certificate authentication.

The malicious APK package contains two entryName = "classes. dex files, the corresponding data are malicious. data and org. data, and malicious. data is located at org. before data.

In APK parsing, when the entryName is the same, the latter will overwrite the former information, so that the APK certificate signature verification process can be successfully passed.

2. How can I insert malicious. data to bypass the Android APK package certificate verification?

After the android apk package is verified, You need to request the installed process to optimize the code. The optimized code is the code loaded when the APP is running.

Dex optimization is completed in dalvik2 \ dexopt \ OptMain. cpp.

OptMain. cpp handles apk compressed files through dalvik2 \ libdex \ ZipArchiver. cpp.

By analyzing ZipArchiver. cpp Code, the underlying parsing of the APK package can have files with the same entryName, but will not overwrite, and when according to the file name classes. when dex extracts the compressed content, it always returns the data that matches the first name, so that we can insert malicious. data becomes the truly optimized code.

After the above two steps, the entire vulnerability can be exploited. (I have not actually verified the above logic)

 

Iv. POC codeOpen source POC: https://gist.github.com/poliva/36b0795ab79ad6f14fd8 5, related http://review.cyanogenmod.org/#/c/45251/ http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/ http://cn.engadget.com/2013/07/04/bluebox-reveals-android-security-vulnerability/

Original article: http://blog.csdn.net/jiazhijun/article/details/9280995

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.