Conversation
Notices
-
LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} (lnxw48a1@nu.federati.net)'s status on Sunday, 04-Dec-2022 22:44:06 UTC LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} https://nu.federati.net/url/288799 [arstechnica com]
#Samsung, among others, has leaked their #Android app-signing keys.
> Guess what has happened! Łukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.
...
> What OEMs really need to do is stop using the compromised keys to secure their apps. It's not clear why Samsung continues to use the key. Android's APK Signature Scheme V3 allows developers to change app keys with just an update—you authenticate an app with the new and old key and indicate that only the new key is supported for updates. This is a requirement for Play Store apps, but again, system apps from OEMs are not subject to any of the Play Store rules, so some OEMs are still using the old v2 signature scheme.
> Thankfully, these leaked keys are only for apps and not the keys used to sign OS updates. So even if the v3 signature scheme is not in use, theoretically the affected companies could ship a still-secure OTA update that includes new system apps with new keys, and they could make new corresponding Play Store updates that are compatible with those new keys. That sounds like a lot of work, though.