Android Question Signature algorithm version

A

asubias

Member
Licensed User
Hello all.
Recently my app made with B4A passed a penetration test and one of the issues discovered was:
Signature algorithm v1 used (Janus CVE-2017-13156)
The provided application is signed with, among others, the v1 version of the Google
Android signature algorithm.
For Android 5 to 7 phones, it has been demonstrated that it is possible to alter parts
of the DEX files when version 1 of the algorithm is used: vulnerability called "Janus"
and referenced as CVE-2017-13156.
An attacker could decompile the application and modify it to inject a backdoor.
Through phishing or social engineering strategies, he could trick a user by offering to
download the modified application that would legitimately update the old application.
Click to expand...
Reference: https://www.guardsquare.com/blog/ne...ithout-affecting-their-signatures-guardsquare

Is it possible to use a newer signature algorithm in B4A?

Kind regards,
Alberto
 
Sort by date Sort by votes
Erel

Erel

B4X founder
Staff member
Licensed User
Longtime User
Is this a Google Play app? When you distribute AAB packages the APK is generated on demand and is signed by Google (using your key).

B4A uses the apksigner tool from Android SDK to sign the APK file. It disables v3 and v4 signing features due to compatibility with older devices. You can use the command line builder to build an APK without signing it and then sign it yourself with apksigner.
 
Upvote 0
A

asubias

Member
Licensed User
Yes, it's a Google Play app.

The company that made the test requested the APK, but as far as I remember, I went to Google Play Console and downloaded the "APK signed and universal" from App Blundles Explorer so it should be signed with the proper signature.

It disables v3 and v4 signing features due to compatibility with older devices
Click to expand...
That means that if I want to use the lastest signature algorithm should I use the command line?
 
Upvote 0
A

asubias

Member
Licensed User
Erel said:
Or package your app as an AAB.
Click to expand...
I'm already doing this. That's why I downloaded the APK from the Google Console.
Maybe the issue is that, despite it decode the AAB and provides you with the "signed and universal" APK, it generates the same APK as B4A.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

K
  • Question
Android Question private key algorithm is not compatible with signature algorithm
Replies
1
Views
821
kohlenach
K
CVR
  • Question
Android Question jarsigner error: java.security.SignatureException: private key algorithm is not compatible with signature algorithm
Replies
1
Views
629
CVR
CVR
slpxpp
  • Locked
  • Question
Android Question key algorithm not compatible with signature algorithm
Replies
2
Views
2K
Erel
Erel
Erel
  • Question
Other B4A v10.9 BETA is available for download
Replies
5
Views
8K
ddefrain
ddefrain
Erel
  • Article
Android Tutorial jarsigner error: java.security.SignatureException: private key algorithm is not compatible
Replies
2
Views
15K
Erel
Erel
Top