IMCAFS

 Home

upgrade security of app security

Posted by barello at 2020-04-04
all

Upgrade security of APP security

By Haoren

The failure of APP update function is equivalent to the fact that app developers open a back door to malicious users on mobile phones.

From the perspective of security, a complete app should include the following more important modules: upgrade and update module (server), network communication module (transmission), APP self-protection module (client, / data / APP / XX. APK tampering, repackaging, algorithm decoding, etc.), component export module (client), local data module (client), security policy module (client, boundary, etc.) Face hijacking, keyboard security, UI information disclosure, interface switching protection, memory reading and writing).

This time, let's discuss the security problems brought by the upgrade and update module of app.

At present, Android has two hot patch dynamic repair technologies, which are open-source in GitHub:

(1) DEX subcontracting scheme (such as Nuwa, droidfix);

(2) SmalI diff scheme (andfix and dexposed);

Tamper with update package

Experiments show that getpackagearchiveinfo will call org.apache.harmony.security.utils.jarutils.verifysignature to verify the validity of the updated package, rather than just reading the public key information from the APK package. (as shown in the figure below)

The APK public key information obtained by using the jarentry.getcertificates method will also be verified by org.apache.harmony.security.utils.jarutils.verifysignature, and not only read from the APK package. (as shown in the figure below)

For small version upgrades (hot patches), andfix and jspatch (Security) will check the integrity of the update package, leaving the key operations to the developers. Andfix uses jarentry.getcertificates to compare the consistency of public key information and ensure signature verification; jspatch requires developers to encrypt hash value with private key to ensure integrity and signature consistency at the same time.

For large version upgrade (call system installer installation), it is necessary to compare the public key information consistency of the local app with that of the update package. In addition, integrity verification is also required. The example code or the following code is used:

PackageInfo packageInfo = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES);

String signs = packageInfo.signatures[0].toCharsString();

PackageInfo info2 = context.getPackageManager().getPackageArchiveInfo(file.getAbsolutePath(), PackageManager.GET_SIGNATURES);

String signs2 = info2.signatures[0].toCharsString();

if (signs.equals(signs2)) {

Return true;

}

      During the installation of app by Android system installer, the integrity of APK file is not verified, which will lead to the following problems: you can delete other files outside the meta-inf directory in the APK compressed package, which can be installed successfully, but run with errors, and you can refuse to service any app; you can add any file to the meta-inf directory in the APK compressed package (hide malicious code), or modify the cert.rsa file Can be installed and run successfully.

Therefore, the failure of APP update function is equivalent to that app developers open a back door to malicious users on mobile phones.

There are surprises in the contribution of wonderful original articles!

Vsrc welcomes the contributions of original articles. Once the excellent articles are adopted and released, they will be presented with a gift (at least 500 yuan VIP card). The rich prizes we have prepared for you include but are not limited to: macbookair, vsrc customized umbrella, vsrc customized water cup and vsrc exquisite pillow! (the final interpretation right of the activity belongs to vsrc)

I don't know what types of information security articles do you like to read?

I don't know. Which topic do you want us to update?

Now, as long as you have any ideas or suggestions, please reply directly to the official account message.

The enthusiastic users of wonderful message interaction will have the chance to get a beautiful prize from vsrc!

At the same time, we will also select hot topics and make original release according to your feedback suggestions!

© 2023