android apk signing block payload poc
PoC for an Android app that reads the APK Signing block of its own APK and extracts a payload to alter its behaviour.
Whether the payload is present or not does not affect the validity of the signature.
Thus we get two APKs -- with an identical valid v1+v2+v3 signature -- but one says "nothing to see here..." when you run it, whereas the other says e.g. "This is the payload".
NB: uses the work-in-progress apksigtool
to add the payload to the APK.
Example
Generate a dummy keystore
$ keytool -genkey -keystore dummy-ks -alias dummy -keyalg RSA \
-keysize 4096 -sigalg SHA512withRSA -validity 10000 \
-storepass dummy-password -dname CN=dummyBuild a release APK
$ ./gradlew assembleReleaseNB: if you get an "SDK location not found" error, you'll need to set
ANDROID_HOME first (adjust accordingly if the SDK is in another location than
the Android Studio default of ~/Android/Sdk):
$ export ANDROID_HOME=~/Android/Sdk
$ ./gradlew assembleReleaseSign it with the dummy key
$ cp app/build/outputs/apk/release/app-release-unsigned.apk poc.apk
$ apksigner sign -v --ks dummy-ks --ks-key-alias dummy poc.apkAdd the payload
In a custom block
$ echo 'This is the payload' > payload
$ ./add_poc.py poc.apk payloadHidden in the verity padding block
$ echo 'This is the payload' > payload
$ ./add_poc.py --verity poc.apk payloadInstall on phone
$ adb install poc.apk