MASTG-TEST-0224: Usage of Insecure Signature Version
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
Not using newer APK signing schemes means that the app lacks the enhanced security provided by more robust, updated mechanisms.
This test checks if the outdated v1 signature scheme is enabled. The v1 scheme is vulnerable to certain attacks, such as the "Janus" vulnerability (CVE-2017-13156), because it does not cover all parts of the APK file, allowing malicious actors to potentially modify parts of the APK without invalidating the signature. Relying solely on v1 signing therefore increases the risk of tampering and compromises app security.
To learn more about APK Signing Schemes, see "Signing Process".
Steps¶
- Obtain the
minSdkVersion
attribute from the AndroidManifest.xml, e.g., via Obtaining Information from the AndroidManifest. - List all used signature schemes as shown in Obtaining Information about the APK Signature.
Observation¶
The output should contain the value of the minSdkVersion
attribute and the used signature schemes (for example Verified using v3 scheme (APK Signature Scheme v3): true
).
Evaluation¶
The test case fails if the app has a minSdkVersion
attribute of 24 and above, and only the v1 signature scheme is enabled.