问题描述
我需要获取程序包签名,并且当前正在使用以下代码获取它:
I need to get the package signature, and I currently get it using this code:
Signature[] sigs = c.getPackageManager()
.getPackageInfo(c.getPackageName(),
PackageManager.GET_SIGNATURES).signatures;
但是,Android Studio会向我发出此警告:
However, Android Studio gives me this warning:
对应用签名的不正确验证可能会导致以下问题:恶意应用会同时使用其真实证书和虚假证书将自己提交至Play商店,并获得对功能或信息的访问权限由于另一个应用程序,它不应该仅检查伪造的证书并忽略其余证书。请确保验证此方法返回的所有签名。
Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn't have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.
这是什么意思在这种情况下验证签名?我将针对服务器检查签名以确保它们匹配-这是什么意思?
What does it mean to validate the signatures in this case? I'm going to check the signatures against a server to make sure they match - is that what they mean?
在本地测试中,它输出的只是一个负整数,而不是代码所需要的数组。
In a local test, all it outputs is a single negative integer, and not an array as the code would have it.
推荐答案
跟踪弹出文本会导致。
在同一文件中,有,其中包含指向外部资源的链接。
进一步的跟踪会导致有关伪造的ID漏洞。
Tracing the popup text leads to this source code fragment of Android Studio.
In the same file there is a line containing a link to the outern resource.
Further tracking leads to this presentation about the "Fake ID" vulnerability.
:
由于该错误a错误的证书链会生成,并且可能包含合法证书,这些证书已嵌入APK中,但并未真正用于对应用程序进行签名。
Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.
这是,防止使用此漏洞。
这意味着如果设备具有Android 4.4,则不会发生此问题。在运行较低版本的Android API设备时,可能会造成危害。
Here is the commit to Android source code, that prevents using this vulnerability.That means if the device has Android 4.4 the problem is not happening. When running lower Android API devices, it might cause harm.
这篇关于使用PackageManager.GET_SIGNATURES时出现Android Studio警告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!