Is it possible to strip a V2/V3 signature from APK and retain a valid V1 signature?
Based on my understanding of the the Android V1 (jarsigner-type) APK signature and V2/V3 APK signatures it seems like it should be possible to strip the APK Signing Block (which contains V2 and V3 signatures) from its location immediately before the ZIP Central Directory such that the V1 signature is still valid. Is that correct? If so perhaps there is an open source tool to do this already?
Theoretically you can remove an APKv2/v3 signature from an APK and keep only v1 signature. This can be done easily by unzipping the APK file and then zip it back to an ZIP/APK (alternatively it may be sufficient to use a ZIP modifying tool: add an arbitrary file to the ZIP that does not exist and then remove it. This should remove the v2/v3 signature date from a ZIP file). The old v1 signature will not be affected by this procedure.
However when designing v2/v3 signatures Google considered such attacks and implemented a "Rollback Protection":
An attacker could attempt to have a v2-signed APK verified as a v1-signed APK on Android platforms that support verifying v2-signed APK. To mitigate this attack, v2-signed APKs that are also v1-signed must contain an X-Android-APK-Signed attribute in the main section of their META-INF/.SF files. The value of the attribute is a comma-separated set of APK signature scheme IDs (the ID of this scheme is 2). When verifying the v1 signature, APK verifier is required to reject APKs which do not have a signature for the APK signature scheme the verifier prefers from this set (e.g., v2 scheme). This protection relies on the fact that contents META-INF/.SF files are protected by v1 signatures. See the section on JAR signed APK verification.
An attacker could attempt to strip stronger signatures from the APK Signature Scheme v2 Block. To mitigate this attack, the list of signature algorithm IDs with which the APK was being signed is stored in the signed data block which is protected by each signature.
Faking the v2/v3 signature is also not possible because the signature verification process is designed to only verify the APK signature of the highest available version as shown in the published diagram on the Google developer pages:
- State flow doesn't emit new value when sorting a Map
- how do I prevent numbers from going to Scientific Notations in my TextView?
- ERROR:'keytool' is not recognized as an internal or external command, operable program or batch file
- Android: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String java.lang.Object.toString()' on a null object reference
- How to change Android App Name and ID of an existing application?
- How to record screen with Android Studio
- android: set margin on PopupWindow by code
- ADT import of android.media cannot be resolved
- When will repository be destroyed when using ActivityRetainedScoped in Hilt?
- How do I set Android app as device owner?
- Error: unable to locate asset entry in pubspec.yaml: "assets/fonts/Lato-Regular.ttf"
- Android Development- Creating a board game
- Intellij, jlink doesn't exist
- Gradle build fails with KSP plugin not found after migrating PhotoEditor SDK example code to Kotlin 1.9.23
- How to disable a button in Kotlin?
- Sending an email with attachments programmatically on Android
- How to customize Mesibo voice and video calls on Android?
- Android - Kotlin files are present in apk after compilation
- How to attach a pdf to intent to send (to email, dropbox, etc) in android
- How to debug smali code of an android application?
- How to navigate to the same composable but use different parameters?
- Issue with uni_links was compiled with an incompatible version of Kotlin
- Sorting List Items in LazyColumn - Android Jetpack Compose
- Prevent user from dismissing notification
- How to change the status bar color?
- How do i get my app publishing status via API
- How can I access views from layout containing merge tag is included in another layout?
- Camera not being released on Android 8.1.0 build version 2.8.4 on M3 mobiles
- Which Android emulator supports Android AICore (for Gemini Nano)?
- Flutter 3.32.0 – Release build failed to strip debug symbols from native libraries after upgrade