Android Question Signature algorithm version

asubias · May 3, 2023

Hello all.
Recently my app made with B4A passed a penetration test and one of the issues discovered was:
Signature algorithm v1 used (Janus CVE-2017-13156)

The provided application is signed with, among others, the v1 version of the Google
Android signature algorithm.
For Android 5 to 7 phones, it has been demonstrated that it is possible to alter parts
of the DEX files when version 1 of the algorithm is used: vulnerability called "Janus"
and referenced as CVE-2017-13156.
An attacker could decompile the application and modify it to inject a backdoor.
Through phishing or social engineering strategies, he could trick a user by offering to
download the modified application that would legitimately update the old application.

Reference: https://www.guardsquare.com/blog/ne...ithout-affecting-their-signatures-guardsquare

Is it possible to use a newer signature algorithm in B4A?

Kind regards,
Alberto

Erel · May 7, 2023

Is this a Google Play app? When you distribute AAB packages the APK is generated on demand and is signed by Google (using your key).

B4A uses the apksigner tool from Android SDK to sign the APK file. It disables v3 and v4 signing features due to compatibility with older devices. You can use the command line builder to build an APK without signing it and then sign it yourself with apksigner.

asubias · May 9, 2023

Yes, it's a Google Play app.

The company that made the test requested the APK, but as far as I remember, I went to Google Play Console and downloaded the "APK signed and universal" from App Blundles Explorer so it should be signed with the proper signature.

It disables v3 and v4 signing features due to compatibility with older devices

That means that if I want to use the lastest signature algorithm should I use the command line?

Erel · May 10, 2023

Or package your app as an AAB.

asubias · May 10, 2023

Erel said:
Or package your app as an AAB.

I'm already doing this. That's why I downloaded the APK from the Google Console.
Maybe the issue is that, despite it decode the AAB and provides you with the "signed and universal" APK, it generates the same APK as B4A.

Erel · May 10, 2023

No such thing. Have they downloaded your app from Google Play?

asubias · May 10, 2023

Erel said:
No such thing. Have they downloaded your app from Google Play?

No, they requested the original APK.

Erel · May 10, 2023

So it has nothing to do with the AAB. If you want to change the APK signature then you need to manually sign it.

asubias · May 10, 2023

Erel said:
So it has nothing to do with the AAB. If you want to change the APK signature then you need to manually sign it.

Ok, understood. Thank you Erel!

Android Question Signature algorithm version

asubias

Member

Erel

B4X founder

asubias

Member

Erel

B4X founder

asubias

Member

Erel

B4X founder

asubias

Member

Erel

B4X founder

asubias

Member

Similar Threads

Android Question Signature algorithm version

Member

B4X founder

Member

B4X founder

Member

B4X founder

Member

B4X founder

Member

Similar Threads

Privacy & Transparency

Privacy & Transparency