Android Master Key Exploit

Mon, Jul 8, 2013 One-minute read

The details of what I believe to be Android bug 8219321 (master keys) are below. I’ve put this together from the Cyanogenmod bug report and patch, so if anyone has some better information I’d welcome it.

When checking APK content signatures PackageParser calls its loadCertificates method, which in turn uses the getInputStream method of JarFile whose implementation is in ZipFile (the parent of JarFile) and looks up the relevant entry in a Map.

The problem is a Map can only provide a single object for a given key, so if there are two entries in a zip file with the same name only one of the entries will be returned by loadCertificates, and so only one entry is validated.

The Map is constructed as part of a loop so you can determine which entry will always be returned from loadCertificates, so what you could do is create a zip file where the entry that is verifiable is the one returned by getInputStream, and the one with the evil code is the one which ends up on the device.