使用PackageManager.GET_SIGNATURES时出现Android Studio警告 [英] Android Studio warning when using PackageManager.GET_SIGNATURES
问题描述
我需要获取程序包签名,并且当前正在使用以下代码获取它:
I need to get the package signature, and I currently get it using this code:
Signature[] sigs = c.getPackageManager()
.getPackageInfo(c.getPackageName(),
PackageManager.GET_SIGNATURES).signatures;
但是,Android Studio会向我发出此警告:
However, Android Studio gives me this warning:
从getPackageInfo读取应用程序签名:如果未正确验证,则可以利用该应用程序签名;有关详细信息,请参见问题说明。
Reading app signatures from getPackageInfo: The app signatures could be exploited if not validated properly; see issue explanation for details.
对应用签名的不正确验证可能会导致以下问题:恶意应用会同时使用其真实证书和虚假证书将自己提交至Play商店,并获得对功能或信息的访问权限由于另一个应用程序,它不应该仅检查伪造的证书并忽略其余证书。请确保验证此方法返回的所有签名。
Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn't have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.
这是什么意思在这种情况下验证签名?我将针对服务器检查签名以确保它们匹配-这是什么意思?
What does it mean to validate the signatures in this case? I'm going to check the signatures against a server to make sure they match - is that what they mean?
在本地测试中,它输出的只是一个负整数,而不是代码所需要的数组。
In a local test, all it outputs is a single negative integer, and not an array as the code would have it.
推荐答案
跟踪弹出文本会导致 Android Studio的此源代码片段。
在同一文件中,有一行,其中包含指向外部资源的链接。
进一步的跟踪会导致此演示文稿有关伪造的ID漏洞。
Tracing the popup text leads to this source code fragment of Android Studio.
In the same file there is a line containing a link to the outern resource.
Further tracking leads to this presentation about the "Fake ID" vulnerability.
问题是,当Android构建链时,通过信任,验证过程仅比较主题,而不是将实际密钥与证书签名者详细信息中提供的密钥进行比较。结果,攻击者可以修改信任链并声称由一方签名-无需该一方实际签名。
The problem is that when Android builds the chain-of-trust, the verification process only compares the ‘subject’ rather than comparing the actual key with the one provided within the details of the certificate’s signer. As a result, an attacker can tinker with the chain-of-trust and claim to be signed by a party – without the party actually signing.
由于该错误a错误的证书链会生成,并且可能包含合法证书,这些证书已嵌入APK中,但并未真正用于对应用程序进行签名。
Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.
这是对Android源代码的提交,防止使用此漏洞。
这意味着如果设备具有Android 4.4,则不会发生此问题。在运行较低版本的Android API设备时,可能会造成危害。
Here is the commit to Android source code, that prevents using this vulnerability. That means if the device has Android 4.4 the problem is not happening. When running lower Android API devices, it might cause harm.
这篇关于使用PackageManager.GET_SIGNATURES时出现Android Studio警告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
