Wrong result for Signer Certificate

[burakakyol]

EXPLANATION OF THE ISSUE

We're getting wrong results from the static analyzer for signing schemes. While the static analyzer says the apk is signed by the v1 signature scheme, Android's analyzer tool says v1 is disabled. I wonder why we get different results. Which result is consistent to reporting?

In fact, The application doesn't support the v1 signing. So, we must be able to see the v1 signing as false.

build.gradle

signingConfigs {

            v1SigningEnabled false
            v2SigningEnabled true
        }
    }

MobSF Result:

Apksigner Result:
Command: Android/sdk/build-tools/29.0.3/apksigner verify --print-certs xxx.apk

Output:

Verified using v1 scheme (JAR signing): false

Verified using v2 scheme (APK Signature Scheme v2): true

STEPS TO REPRODUCE THE ISSUE

1. Static analyze for the apk
2. Analyze the apk by using apksigner verify --print-certs xxx.apk
3. Compare the results for Signer Certificate

ENVIRONMENT

OS and Version: macOS Monterey, 12.2.1
Python Version: 3.10.6
MobSF Version: v3.6.3 Beta

[github-actions]

👋 @burakakyol
Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel
Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

[ajinabraham]

Hi @burakakyol Thanks for the report. Can you share an APK to troubleshoot this?

[burakakyol]

Hi @ajinabraham ,

Due to company policy, I'm not able to share the APK.
When we checked the source code, It seems AndroGuard just checks whether there is a . RSA file exists or not, in order to decide whether the apk has a v1 signature scheme.

Step 1

def is_signed_v1(self):
 """
 Returns true if a v1 / JAR signature was found.
 Returning `True` does not mean that the file is properly signed!
 It just says that there is a signature file which needs to be validated.
 """
 return self.get_signature_name() is not None

Source Code

Step 2

def get_signature_name(self):
 """
 Return the name of the first signature file found.
 """
 if self.get_signature_names():
 return self.get_signature_names()[0]
 else:
 # Unsigned APK
 return None

 Source Code
 
Step 3

def get_signature_names(self):
 """
 Return a list of the signature file names (v1 Signature / JAR
 Signature)
 :rtype: List of filenames matching a Signature
 """
 signature_expr = re.compile(r"^(META-INF/)(.*)(\.RSA|\.EC|\.DSA)$")
 signatures = []
for i in self.get_files():
 if signature_expr.search(i):
 if "{}.SF".format(i.rsplit(".", 1)[0]) in self.get_files():
 signatures.append(i)
 else:
 log.warning("v1 signature file {} missing .SF file - Partial signature!".format(i))
return signatures

Source Code

As you can see in the last function, the regex only checks if there are RSA, EC, and DSA extensions that v1 signature scheme needs in the apk. However, this doesn’t mean the apk is signed with v1 signature scheme.

In fact, If the minSdkVersion is greater than 24, the apksigner doesn’t need a v1 signature scheme. It directly signs the apk with v2,v3, or v4.

You can find the details in the main documentation.
https://source.android.com/docs/security/features/apksigning

[ajinabraham]

Thanks for the detailed response. I will take a look at this as soon as I can.

[julepka]

I can confirm seeing the same issue at least at two different apps. I've noticed that each time it happened with apps with minimum Android version set to 7.0 (API level 24). MobSF showed that v1 signature is applied while apksigner showed that it is not.

[ajinabraham]

I need a sample APK with this behaviour to troubleshoot this. The locally tested APK looks good

minSdk 24
targetSdk 32

MobSF v3.7.7

v1 signature: False
v2 signature: True
v3 signature: False
v4 signature: Unknown

APK signer

./apksigner verify --verbose app-release.apk 
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1

[ajinabraham]

Anyways we are using apksigner to get signature information from now on. This should address the issue.

[asukoeee]

Hi @burakakyol Thanks for the report. Can you share an APK to troubleshoot this?