Android 使用时出现 Studio 警告 PackageManager.GET_SIGNATURES
Android Studio warning when using PackageManager.GET_SIGNATURES
我需要获取包签名,我目前使用此代码获取它:
Signature[] sigs = c.getPackageManager()
.getPackageInfo(c.getPackageName(),
PackageManager.GET_SIGNATURES).signatures;
但是,Android Studio 给了我这个警告:
Reading app signatures from getPackageInfo: The app signatures could be exploited if not validated properly; see issue explanation for details.
Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn't have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.
在这种情况下验证签名是什么意思?我将针对服务器检查签名以确保它们匹配 - 这是他们的意思吗?
在本地测试中,它输出的只是一个负整数,而不是代码中的数组。
跟踪弹出文本会转到 Android Studio 的 this source code fragment。
在同一文件中,a line 包含指向外部资源的 link。
进一步跟踪导致 this presentation 关于“假 ID”漏洞。
The problem is that when Android builds the chain-of-trust, the verification process only compares the ‘subject’ rather than comparing the actual key with the one provided within the details of the certificate’s signer. As a result, an attacker can tinker with the chain-of-trust and claim to be signed by a party – without the party actually signing.
Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.
这里是the commit到Android的源代码,可以防止利用这个漏洞。
这意味着如果设备有 Android 4.4,问题就不会发生。当 运行 降低 Android API 设备时,可能会造成伤害。
我需要获取包签名,我目前使用此代码获取它:
Signature[] sigs = c.getPackageManager()
.getPackageInfo(c.getPackageName(),
PackageManager.GET_SIGNATURES).signatures;
但是,Android Studio 给了我这个警告:
Reading app signatures from getPackageInfo: The app signatures could be exploited if not validated properly; see issue explanation for details.
Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn't have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.
在这种情况下验证签名是什么意思?我将针对服务器检查签名以确保它们匹配 - 这是他们的意思吗?
在本地测试中,它输出的只是一个负整数,而不是代码中的数组。
跟踪弹出文本会转到 Android Studio 的 this source code fragment。
在同一文件中,a line 包含指向外部资源的 link。
进一步跟踪导致 this presentation 关于“假 ID”漏洞。
The problem is that when Android builds the chain-of-trust, the verification process only compares the ‘subject’ rather than comparing the actual key with the one provided within the details of the certificate’s signer. As a result, an attacker can tinker with the chain-of-trust and claim to be signed by a party – without the party actually signing.
Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.
这里是the commit到Android的源代码,可以防止利用这个漏洞。 这意味着如果设备有 Android 4.4,问题就不会发生。当 运行 降低 Android API 设备时,可能会造成伤害。