fdroidserver

kamp/fdroidserver

Fork 0

mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-11-04 14:30:11 +01:00

Commit Graph

Author	SHA1	Message	Date
Hans-Christoph Steiner	bde0558d82	update: reject APKs with invalid file sig, probably Janus exploits This just checks the first four bytes of the APK file, aka the "file signature", to make sure it is the ZIP signature and not the DEX signature. This was checked against the test APK, and I ran it against some known malware and all of f-droid.org to make sure it works. All valid ZIP files (therefore APK files) should start with the ZIP Local File Header of four bytes. https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures	2017-12-14 16:57:22 +01:00

Author

SHA1

Message

Date

Hans-Christoph Steiner

bde0558d82

update: reject APKs with invalid file sig, probably Janus exploits

This just checks the first four bytes of the APK file, aka the "file
signature", to make sure it is the ZIP signature and not the DEX signature.
This was checked against the test APK, and I ran it against some known
malware and all of f-droid.org to make sure it works.

All valid ZIP files (therefore APK files) should start with the ZIP
Local File Header of four bytes.

https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

2017-12-14 16:57:22 +01:00

1 Commits