mission-improbable icon indicating copy to clipboard operation
mission-improbable copied to clipboard
verified publisher icon mikeperry-tor

Signature spoofing (for microg) support

Open robotanarchy opened this issue 9 years ago • 7 comments

Personally I am not interested in this anymore, as I'm using CopperheadOS completely without dependencies on gapps/microg. But I've hacked something up, which could be used as starting point to a proper implementation for mission-improbable: unfinished-chos-release-sigspoof-patcher

From the README.md:

What the script does is basically extract/disassemble the PackageParser.smali file from all layers of the release .tar.xz file, patch it (patch applies cleanly!), and try to reconstruct the release so it can be flashed. CopperheadOS ships a natively compiled boot-framework.oat instead of a framework.jar, so the script deletes the oat file (both for arm and arm64) and creates a new framework.jar. The assumption is, that Android will load the framework.jar file then, and everything will work out (which it did not in practice, the boot screen ran forever and nothing happened).

robotanarchy avatar Nov 24 '16 23:11 robotanarchy

You should check out: https://github.com/nitrogen-project/android_frameworks_base/commit/39735511068961dbf824ab1d3de3c49f2e1b669f and https://github.com/microg/android_packages_apps_GmsCore/blob/c2fc6830d7f44d0c70493d6708a1de6ac4157550/patches/android_frameworks_base-M.patch

ghost avatar Nov 25 '16 18:11 ghost

FYI - neither I nor the copperhead people like creating a general permission for signature spoofing. I might be able to talk them into that patch or this hack if there were some way to limit it just to MicroG..

mikeperry-tor avatar Nov 28 '16 21:11 mikeperry-tor

I'm working on a method to have a list, like the Apps with usage access or the notification access, to select which apps can use this permission.

ghost avatar Nov 28 '16 21:11 ghost

Oh, and to limit the ability for more priv escalation if MicroG is vulnerable, it would also be nice to limit the signatures that it can spoof to just the Google services it is replacing.

mikeperry-tor avatar Nov 28 '16 21:11 mikeperry-tor

@mikeperry-tor that's not how permissions for apps work, you could limit it to just the microg app and only the microg app no others but that's about it. You could make it a toggle switch for those who don't need it or didn't want to use it while those who did could benefit.

ghost avatar Nov 28 '16 22:11 ghost

@BenBaltz You can change what the "permission" means though. Couldn't you just add a check at https://github.com/nitrogen-project/android_frameworks_base/commit/39735511068961dbf824ab1d3de3c49f2e1b669f#diff-cb589fb4d249734569e11adf2d1c645aR3069 to make sure that the limited permission only allows MicroG to spoof the signature of com.google.gms and the other Google packages only (as opposed to all packages)?

mikeperry-tor avatar Nov 28 '16 23:11 mikeperry-tor

FYI - neither I nor the copperhead people like creating a general permission for signature spoofing.

then i will never consider using your OS, FYI.

I might be able to talk them into that patch or this hack if there were some way to limit it just to MicroG.

that wouldn't change my previous assertion.

I'm working on a method to have a list, like the Apps with usage access or the notification access, to select which apps can use this permission.

this is already done on the OMNI android 6 patch! the permission is runtime dangerous, so a prompt is displayed to allow signature spoofing by the app using it (microG core). i don't use OMNI, but i assume the list of apps that request this permission is accesible in the OS settings, with a toggle to disable or enable the permission for each app.

Oh, and to limit the ability for more priv escalation if MicroG is vulnerable

no! what privilege escalation? the signature is only spoofed by the OS in what is reported TO APPS querying for the signature of the specific app with the spoofing permission granted. the OS itself doesn't believe the spoof and doesn't grant ANY special rights based on it.

for instance: if you have a legitimate google app "A" with signature "S" and microG spoofing the same signature "S", microG will still not be able to access any of "A" 's private data, use any of "A" 's signature based permissions, etc. the OS knows microG's real signature and continues to enforce all security depending on it (including application update checks).

again, spoofing only makes the OS lie about the signature to apps. this is necessary because apps embed google's client library, and google's client library checks the signature of google play services to lock out competitors from implementing their services.

Oh, and to limit the ability for more priv escalation if MicroG is vulnerable, it would also be nice to limit the signatures that it can spoof to just the Google services it is replacing.

the signature spoof patch does not work the way you think. there isn't an API that a compromised microG can invoke to spoof signatures. (not that it mattered at all, because the only thing any software would do after querying for google play services signature is checking against google's known signature. no software would start sending gandma's banking information away if it discovers that google play services signature happens to match santander private banking app. it is either google's or it isn't.) as i was saying, no API to spoof exists. the signature being spoofed is declared IN THE MANIFEST and can't be changed even if microG is compromised. it can only be changed by updating microG. (and the signature of the new version MUST MATCH THE REAL SIGNATURE of microG, not the spoofed one.)

IMHO before imagining attack scenarios you should check what the code actually does.

Lanchon avatar Dec 14 '16 20:12 Lanchon