Peng Xiao Mobile Security of Alibaba What can you do to an apk without its private key except repacking? BlackHat London 2015 About me Security engineer in Mobile Security of Alibaba Exploiting and researching vulnerabilities in mobile platforms Email: [email protected] Mobile Security of Alibaba Outlines Introduction of APK Verification New Attack Methods Light Attack: Certificate Cheater • Medium Attack: Upgrade DoS • Hard Attack: Hide and Ignite • Serious Attack: Shadows Everywhere • Summary Mobile Security of Alibaba APK Verification Mobile Security of Alibaba Android Sources a b c … MANIFEST.MF a.md b.md c.md CERT.SF MF.md a.md.md b.md.md c.md.md /META- INFO CERT.RSA Certificate(s) public key CERT.SF.signature others SEAMLESS APP UPGRADE Mobile Security of Alibaba Mobile Security of Alibaba Certificate Cheater Mobile Security of Alibaba Android Sources a b c … MANIFEST.MF a.md b.md c.md CERT.SF MF.md b.md.md c.md.md a.md.md /META- INFO CERT.RSA Certificate(s) public key CERT.SF.signature others Mobile Security of Alibaba Mobile Security of Alibaba Vulnerabilities Mobile Security of Alibaba X.509 Certificate Version Serial Number Algorithm ID Issuer Validity Subject SSuubbjjeecctt PPuubblliicc KKeeyy Extensions(optional) Certificate Signature Algorithm Certificate Signature Mobile Security of Alibaba Attack Scenarios Version Serial Number Scenario-1: Algorithm ID • Modification: Subject/Issuer Issuer Harm: Validity • copyright problem Subject • gain reputation • Subject Public Key mislead the public • Extensions(optional) Certificate Signature Algorithm Certificate Signature Mobile Security of Alibaba