使用 PackageManager.GET_SIGNATURES 时的 Android Studio 警告 [英] Android Studio warning when using PackageManager.GET_SIGNATURES
问题描述
我需要获取包签名,我目前使用此代码获取它:
I need to get the package signature, and I currently get it using this code:
Signature[] sigs = c.getPackageManager()
.getPackageInfo(c.getPackageName(),
PackageManager.GET_SIGNATURES).signatures;
但是,Android Studio 给了我这个警告:
However, Android Studio gives me this warning:
从 getPackageInfo 读取应用签名:如果未正确验证,应用签名可能会被利用;详情请参阅问题说明.
Reading app signatures from getPackageInfo: The app signatures could be exploited if not validated properly; see issue explanation for details.
应用签名验证不当可能会导致以下问题:恶意应用将自己的真实证书和虚假证书提交给 Play 商店,并获得访问功能或信息的权限,因为其他应用仅检查假证书而忽略其余部分.请确保验证此方法返回的所有签名.
Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn't have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.
在这种情况下验证签名意味着什么?我将针对服务器检查签名以确保它们匹配 - 这就是它们的意思吗?
What does it mean to validate the signatures in this case? I'm going to check the signatures against a server to make sure they match - is that what they mean?
在本地测试中,它输出的只是一个负整数,而不是代码中的数组.
In a local test, all it outputs is a single negative integer, and not an array as the code would have it.
推荐答案
跟踪弹出文本导致 Android Studio 的这个源代码片段.
在同一个文件中有 一行 包含指向外部资源的链接.
进一步跟踪导致本演示文稿 关于假身份证"漏洞.
Tracing the popup text leads to this source code fragment of Android Studio.
In the same file there is a line containing a link to the outern resource.
Further tracking leads to this presentation about the "Fake ID" vulnerability.
问题描述:
问题在于,当 Android 构建信任链时,验证过程仅比较主体",而不是将实际密钥与证书签名者详细信息中提供的密钥进行比较.因此,攻击者可以修改信任链并声称由一方签名 - 而该方实际上没有签名.
The problem is that when Android builds the chain-of-trust, the verification process only compares the ‘subject’ rather than comparing the actual key with the one provided within the details of the certificate’s signer. As a result, an attacker can tinker with the chain-of-trust and claim to be signed by a party – without the party actually signing.
由于此错误,会生成错误的证书链,并且可能包括合法证书,这些证书嵌入在 APK 中但并未用于实际签署应用程序.
Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.
这是提交到 Android 源代码,防止使用此漏洞.这意味着如果设备具有 Android 4.4,则问题不会发生.在运行较低的 Android API 设备时,可能会造成危害.
Here is the commit to Android source code, that prevents using this vulnerability. That means if the device has Android 4.4 the problem is not happening. When running lower Android API devices, it might cause harm.
这篇关于使用 PackageManager.GET_SIGNATURES 时的 Android Studio 警告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
