APK Signatures

Transcript

1. APK SIGNATURES 30.11.2021 OWASP SAITAMA MTG #5; TALK #1.

2. TEXT SESSION FLAGS ▸ ࿥Իɾ࿥ըɾ಺༰ެ։: OK

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) 
 https://keybase.io/alterakey

   ▸ Monolith Works Inc. 
 Co-founder, CTO 
 Security researcher

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps 
 →Financial, Games, IoT related, etc. (>200) 
 →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps 
 →POS, RAD tools etc. ▸ Network/Web penetration testing 
 →PCI-DSS etc. ▸ Search engine reconnaissance 
 (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ 
 DEF CON 25 Demo Labs (2017) 
 DEF CON 27 AI Village (2019) 
 CODE BLUE (2017, 2019) 
 CYDEF (2020) etc. DEFCON 2016 by Wiyre Media on flickr, CC-BY 2.0

6. TEXT APK SIGNING ▸ APK: Android PacKage fi le 


   ಛผʹ࢓ཱͯΒΕͨzipϑΝΠϧ ▸ AndroidΞϓϦέʔγϣϯʹ͸ॺ໊͕ඞཁ ▸ ਖ਼౰ੑͷ୲อ…ͱ͸ݴ͍ͬͯΔ͕ 
 ୲อ͍ͯ͠Δͷ͸ओʹग़ॴ ▸ ग़ॴϕʔεͷೝՄ੍ޚ 
 (sandbox, strongbox, IPC, permission, …)

7. TEXT V1: JARSIGNER ▸ jarॺ໊ͷϝΧχζϜΛԠ༻ͨ͠΋ͷ 
 (build-tools v24·Ͱओʹ࢖༻͞Ε͍ͯͨ) ▸ jarsigner,

   apksigner (v1) ▸ ֤ϑΝΠϧʹ͍ͭͯॺ໊Λܭࢉͯ͠META-INFҎԼ ʹ֨ೲ 
 RSA: SHA1 (<18), SHA256 (>=18) 
 DSA: SHA1 (<21), SHA256 (>=21) 
 ECDSA: SHA256 (>=21) ▸ ݕূ: ల։֤ͨ͠ΤϯτϦʹ͍ͭͯॺ໊Λಥ߹

8. TEXT PROTECTION: DATA BLOCKS ▸ ॺ໊͸META-INF಺ʹஔ͔ΕΔ 
 ݕূ͸ల։ͯ͠ߦͳ͏ ▸ ϝλσʔλͷݕূ͸ߦͳΘͳ͍

   
 →Master Key/FakeIDͳͲͷ࡞༻ػং

9. TEXT V2: SIGN WITH ZIP METADATA ▸ ৽͍͠ํࣜ (build-tools v24,

   API 24Ҏ߱) ▸ apksigner (v2) ▸ ΞʔΧΠϒ಺༰ɾCentral Directoryɾऴ୺ʹ͍ͭͯ શମॺ໊ΛܭࢉɺAPK Signing Block΁֨ೲ ▸ 1MB͝ͱʹ෼ׂ͠ɺϒϩοΫॺ໊Λܭࢉ 
 0xa5 + (αΠζ uint32[LE]) + ಺༰ ▸ ֤ϒϩοΫॺ໊ʹ͍ͭͯશମॺ໊Λܭࢉ 
 0x5a + (ϒϩοΫ਺ uint32[LE]) + ग़ݱॱͷ಺༰

10. TEXT APK SIGNING BLOCK ▸ ॺ໊ؔ࿈ͷ৘ใΛஔ͘ಛผͳྖҬ 
 ʢΞʔΧΠϒ಺༰ͱCentral Directoryͷؒʣ ▸

    த਎͸ൺֱత୯७ͳKVS… 
 +0: trailing_size:uint64 
 +8: [[size:uint64, id:uint32, value:bytes], …] 
 +n: trailer_size:uint64 = +0 
 +n+8: b“APK Sig Block 42”

11. TEXT V2: BLOCK FORMAT ▸ ID: 0x7109871a, [Signer, …] ▸

    Signer: 
 [SignedData, [Signature, …], PublicKey] ▸ SignedData: 
 [[Digest, …], [Certi fi cate, …], [Attribute, …]] ▸ Digest: [algoID:uint32, digest:bytes] ▸ Certi fi cate: bytes (ASN.1 DER) ▸ Attribute: [id:uint32, value:bytes] ▸ Signature: [algoID:uint32, sigOfSignedData:bytes] ▸ PublicKey: bytes (ASN.1 DER)

12. TEXT V2: ALGORITHMS ▸ 0x0101: RSASSA-PSS with SHA2-256, SHA2-256 MGF1,

    32 bytes of salt, trailer: 0xbc ▸ 0x0102: RSASSA-PSS with SHA2-512, SHA2-512 MGF1, 64 bytes of salt, trailer: 0xbc ▸ 0x0103: RSASSA-PKCS1-v1_5 with SHA2-256 (determ.) ▸ 0x0104: RSASSA-PKCS1-v1_5 with SHA2-512 (determ.) ▸ 0x0201: ECDSA with SHA2-256 ▸ 0x0202: ECDSA with SHA2-512 ▸ 0x0301: DSA with SHA2-256

13. TEXT V2: ALGORITHMS ▸ RSA: 1024, 2048, 4096, 8192, 16384

    ▸ EC: NIST P-256, P-384, P-521 ▸ DSA: 1024, 2048, 3072

14. TEXT .. MUCH BETTER ▸ ݕূ࣌ʹల։͕ෆཁʹ → ߴ଎Խ ▸ ϝλσʔλ΋อޢͷର৅ʹ

    
 →Master Key/Fake IDͳͲ΁ͷ༗ޮͳରࡦ ▸ downgrade߈ܸ͔Βͷอޢ 
 →X-Android-APK-Signed attributeͷཁٻ 
 →v1ͰͷݕূΛఀࢭ͢Δattribute ▸ …ͦ΋ͦ΋ͳͥMerkle tree෩ʹʁ 
 →ܭࢉͷฒྻԽΛ༰қʹ͢ΔͨΊ

15. TEXT V3: KEY ROTATION ▸ ͜Ε·Ͱൿີ伴Λม͑Δ͜ͱ͕Ͱ͖ͳ͔ͬͨ… 
 Android 9.0 (API

    28) ͔Βߋ৽Ͱ͖ΔΑ͏ʹʂ 
 (key rotation) ▸ apksigner (v3) ▸ 伴ϖΞͷೝূ͕ඞཁʹ… ▸ ॺ໊ϒϩοΫͷద༻৚͓݅ΑͼҾ͖ܧ͗ূ໌Λ ௥ՃͰAPK Signing Block΁֨ೲ

16. TEXT V3: FORMAT ▸ ID = 0xf05368c0ͷଞ͸V2ͱ΄΅ಉҰ͕ͩ… ▸ Signer: 


    [SignedData, 
 minSDK:uint32, maxSDK:uint32, 
 [Signature, …], PublicKey] ▸ SignedData: 
 [[Digest,…], [Certi fi cate, …], 
 minSDK:uint32, maxSDK:uint32, 
 [Attribute,…, ProofOfRotation]]

17. TEXT V3: FORMAT ▸ ProofOfRotation: [Level, …] | [Set, …]

    ▸ Level: [[[Certi fi cate, algoID:uint32], fl ags:uint32, algoID: uint32, Signature], …] ▸ Set: [[[Certi fi cates, AlgoIDs], fl ags: uint32, Signatures], …] ▸ Certi fi cates: [Certi fi cate,…] ▸ AlgoIDs: [algoID:uint32,…] ▸ Signatures: [algoID:uint32, signature:bytes]

18. TEXT ITCHES SCRATCHED..? ▸ 伴ͷަ׵͕Մೳʹ ▸ 伴ϖΞͷDAGΛߏ੒ˠೝূ ▸ ֤֊૚ͷ伴͕ݖݶܧঝՄೳ͔Ͳ͏͔ࢦఆՄೳʹ ▸

    伴ͷηοτ͸ݸผ伴Λೝূ͠ͳ͍͜ͱʹ஫ҙ 
 ྫ: A -> (B,C) Ͱ A -> B ͸ೝূ͞Εͳ͍

19. TEXT NO AD-HOC SIGNS, USE PLAY STORE! ▸ ͦ΋ͦ΋ແͯ͘͠͠·ͬͨ৔߹͸ަ׵Ͱ͖ͳ͍ ▸

    ແ͘͢ࣄނ͸௝͘͠ͳ͍… 
 GoogleͰ͢Β΍͍ͬͯΔ (G. Authenticator) ▸ Ͱ͸ɺPlay StoreͰ୅ΘΓʹsign͠Α͏… ▸ versionCodeʹԠͨ͡ΩʔͰॺ໊ ▸ ΋ͪΖΜV3ͷkey rotationͱ͸ແؔ܎ 
 ʢΉ͠ΖݱࡏͰ͸ඇਪ঑ʣ

20. TEXT V4: FILESYSTEM-LEVEL INTEGRITY ▸ ॺ໊ͷdetach (.idsig) ͓ΑͼAPKશҬͷૣظݕূ 
 Android

    11 (API 30) Ҏ߱ͰରԠ ▸ apksigner (v4) ▸ fs-verityͱಉҰͷhash treeߏ଄Λ࢖༻͠؆ུԽ ▸ hash tree: SHA-256, blocksize=4096 ▸ salt/block padding: zero ▸ V2/V3ͱ։࢝ϒϩοΫͷΈಥ߹

21. TEXT V4: FORMAT ▸ signature:uint32 = 2 ▸ hashing_info: 


    hash_algorithm:int32 = 1 # SHA256 
 log2_blocksize:int8 = 12 # 4096 
 salt:bytes # 32-bytes 
 raw_root_hash:bytes # salted hash: MT #0 ▸ signing_info: 
 apk_digest: bytes # fi rst block hash 
 x509_certi fi cate: bytes # ASN.1 DER 
 additional_info: bytes 
 public_key: bytes 
 signature_algorithm: int32 
 signature: bytes ▸ merkle_tree: Optional[bytes]

22. TEXT V4: FORMAT ▸ V4DataForSigning: 
 size: int32 
 fi

    le_size: int64 
 hashing_info.hash_algorithm 
 hashing_info.log2_blocksize 
 hashing_info.salt 
 hashing_info.raw_root_hash 
 signing_info.apk_digest 
 signing_info.x509_certi fi cate 
 signing_info.additional_data

23. TEXT WHY? ALL FOR STREAMING ▸ ઌʹMerkle treeࣗମΛݕূ 
 ͦͷޙશҬΛMerkle

    treeʹैͬͯݕূ ▸ APKͱͷᴥᴪ͕ͳ͍͔Ͳ͏͔֬ೝ͢ΔͨΊ 
 ࣮ࡍͷϒϩοΫॺ໊Λ1͚ͭͩݕূ ▸ ߹Θͳ͚Ε͹v2/v3Ͱݕূ͠௚͠ ▸ શମΛҰ౓௨ಡ͠ͳͯ͘΋ݕূͰ͖Δ

24. TEXT MASTERKEY, FAKEID .. HISTORY? KINDA. ▸ ϝλσʔλܥͷ߈ܸ ▸ V2Ҏ߱Ͱ͋Ε͹ෆՄೳ,

    ͕ͩ…

25. TEXT V1 IS ALIVE — LIKE ZOMBIES .. ▸ V1΋Ҿ͖ଓ͖༗ޮʹػೳ͍ͯ͠Δ͜ͱʹ஫ҙ

    ▸ V2+͕͋Ε͹ࢭΊΒΕͯ͸͍Δ͕… 
 V2+ࣗମΛఫڈͯ͠͠·͑͹OK ▸ ͔͠͠: V2+Ҏ߱ˠV1΁ͷ߱֨͸Ͱ͖ͳ͍ 
 ͕ͨͬͯ͠Ұ౓V2+Ҏ߱ͰΠϯετʔϧ͞ΕͨΞ ϓϦ͕ऑମԽͤ͞ΒΕΔ͜ͱ͸ͳ͍…

26. TEXT RESIGNING IS HISTORY? — NOPE ▸ σʔλΛҾ͖ܧ͕ͳ͍ൣғͰҾ͖ଓ͖༗ޮ ▸ ݱঢ়v1͕༗ޮͳͨΊ

    ▸ কདྷతʹv2+͕ඞਢʹͳΖ͏͕… 
 jarsigner→apksigner Ͱे෼

27. TEXT 2021-08 UPDATE: SALVATION? ▸ Android App Bundle (AAB)͕ඞਢʹ ▸

    ։ൃऀ͸͜Ε·Ͱ֤؀ڥ༻ʹAPKΛ౎౓Ϗϧυ ͠ఏग़͍ͯͨ͠ ▸ ͔࣍Βશ෦͍ͩ͘͞ɺversionCodeͳͲͲ͏Ͱ ΋ྑ͍ͷͰɺͱ͍͏มߋ ▸ ༨ஊ: ౰ॳAAB͸Ұ෦Ͱ׬શಠࣗϑΥʔϚοτͳ ͲͱݴΘΕ͕ͨ… ී௨ʹopen-sourcedͰ͋ͬͨ

28. TEXT 2021-08 UPDATE: PERFORMANCE .. ▸ Play Store͕AAB͔Β੾Γग़ͯ͠APKΛఏڙ ▸ ΠϯετʔϧαΠζංେԽ΁ͷରࡦ

    ▸ …ॺ໊͸ʁversionCode͸ʁ 
 Google͕΍Γ·͢ɻ 
 ։ൃऀॾ܅ͷ୅ΘΓʹͶɻ ▸ ։ൃऀ͸伴Λఏڙ͠ɺPlay Store͕ಁաతʹॺ໊ 
 ∴AABͷॺ໊͸ඇৗʹ׮༰ (v1..4)

29. TEXT 2021-08 UPDATE: V2+ SIGNS ARE NOW USED ▸ ୺຤ʹԠͨ͡ॺ໊;

    i.e. Android 11ʙ: v4 ▸ 伴΋ແ͘͞ͳ͍… 
 ͔͠͠ɺՌͨͯ͜͠ΕͰ͍͍ͷ͔ʁ

30. TEXT TAKEAWAYS ▸ ॺ໊ͷมભ: 
 V1: ͍ΘΏΔjarsigner (Android day 1͔Βʂ)

    
 V2: ͔ͳΓͷਐา (API 24ʙ) 
 V3: ͔ͳΓͷෳࡶԽ (API 28ʙ) 
 V4: ͔ͳΓͷߴ଎Խ (API 30ʙ) ▸ ݱࡏɺPlay Store͕ॺ໊ΛऔΓ࢓੾͍ͬͯΔ 
 ɾओʹརศੑ͔Βݟͨ࢓༷มߋ 
 ɾϝλσʔλܥͷ߈ܸ͸ͱΓ͋͑ͣޮ͔ͳ͍ 
 ɾ૬౰ݹ͍୺຤ (API 23ҎԼ) ͸ผ → ΋͏ม͑ͯ…

31. TEXT TAKEAWAYS ▸ V1͸·ͩ·ͩੜ͖͍ͯΔͧ… 
 Play Storeͷ໨͕ಧ͔ͳ͍ൣғͰͳ…‥ ▸ resigning߈ܸ΋Ҿ͖ଓ͖༗ޮ 


    →v2΋3΋4΋֎ͤ͹શ͘໰୊ͳ͍ 
 →ͦ΋ͦ΋apksignerͰ΋΍ΕΔ 
 →୺຤͸୭ͷॺ໊ͩΖ͏ͱؾʹ͍ͯ͠ͳ͍ ▸ Play StoreҎ֎͔ΒೖΕΔ৔߹͸ؾΛ͚ͭͯ

32. FIN. TAKAHIRO YOSHIMURA (@ALTERAKEY)