geohashdroid icon indicating copy to clipboard operation
geohashdroid copied to clipboard

Published 20 hours ago verified publisher icon CaptainSpam

weak signing key with disabled algorithm

Open IzzySoft opened this issue 6 months ago • 0 comments

Your APKs are signed with a key that is considered insecure:

package: name='net.exclaimindustries.geohashdroid' versionCode='941' versionName='0.9.6.4' platformBuildVersionName='15' platformBuildVersionCode='35' compileSdkVersion='35' compileSdkVersionCodename='15'
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: CN=Nicholas Killewald, OU=Unknown, O=Exclaim Industries, L=Lexington, ST=Kentucky, C=US
Signer #1 certificate SHA-256 digest: 29ca3160d43d360984742d3837f6be8a08f8ba7d5b44ecdfb8d97107fb017f5f
Signer #1 certificate SHA-1 digest: 360f8b04dc08be0a8c15194acd8b66474fce238a
Signer #1 certificate MD5 digest: 107e67e152228e838d20918b3d590ccd
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 1024
Signer #1 public key SHA-256 digest: cd0b1cadb641db1a693f7451821b54408cc37a959960a35cc6ce96fd4e5b50b5
Signer #1 public key SHA-1 digest: 51df2c0ab5bf4eba7e1d260a100ccadeeeff9bfb
Signer #1 public key MD5 digest: f32fad118b1cd609df2afc66d334abf2
Signature algorithm name: MD5withRSA (disabled)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
The certificate uses the MD5withRSA signature algorithm which is considered a security risk and is disabled.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.

Is there any chance you's upgrade to a secure signing key? I know that would imply folks would have to uninstall and re-install in order to get updates again, but considering the security risk this might be a price worth paying.

While being here:

Offending libs:
---------------
* Google Maps API (/com/google/android/gms/maps): NonFreeComp,NonFreeNet
* Play Services Places Placereport (/com/google/android/gms/places_placereport): NonFreeComp,NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeComp

3 offenders.

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Are those proprietary libraries really needed for the app to work? As for the DEPENDENCY_INFO_BLOCK, that can easily be avoided with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs (for IzzyOnDroid/F-Droid)
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles (for Google Play)
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance for your consideration!

IzzySoft avatar Apr 19 '25 23:04 IzzySoft