Discovered the ability to bypass digital signatures in Android applications
Discovered the ability to bypass digital signatures in Android applications

Discovered the ability to bypass digital signatures in Android applications

Discovered the ability to bypass digital signatures in Android applications Developers of applications running on the Android OS are required to identify them with a digital signature. This condition, which existed from the first version of the OS, is necessary to protect against unauthorized authors changing the APK-files. When an application update is installed, a digital signature is compared on the original application and its update. GuardSquare, a cyber security company based in Belgium, has found it possible to bypass the signature control system. The GuardSquare report identifies a bug ID CVE-2017-13156, called Janus. Using this dangerous vulnerability, you can change the APK-file and do not change the digital signature in the application. Discovered the ability to bypass digital signatures in Android applications During normal operation of the signature identifier after comparing digital signatures, the application is compiled into a DEX file (Dalvik EXecutable) and launched on the user’s device. The Janus bug allows you to integrate the original APK with a modified DEX executable. After installing the application by the system, the code from the DEX file is launched. Thus, hackers will gain access to user data, or the ability to install an application version modified by an attacker with subsequent updates. This bug allows attackers to work with original JAR-based signatures (Android 5.0 and higher). For Android 7.0 Nougat, the method has been replaced by APK Signature Scheme v2, which is protected from Janus. Google was notified of the existence of such a vulnerability on July 31, but the bug was only fixed by an update released on December 5. So now the scale of the problem looming over users has been significantly reduced.

Add comment