Android App - weak signer Certificate (SHA1withRSA)

[gvarisco]

The app is signed with SHA1withRSA. SHA1 hash algorithm is known to have collision issues.

[
[
  Version: V3
  Subject: CN=Ipzs S.p.A, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, L=Roma, ST=Italia, C=00138
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  
  Validity: [From: Wed Mar 30 12:48:27 UTC 2016,
               To: Sun Mar 24 12:48:27 UTC 2041]
  Issuer: CN=Ipzs S.p.A, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, L=Roma, ST=Italia, C=00138
  SerialNumber: [    56fbcb1b]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 11 BF A4 72 7D F2 27 25   3D 7A A1 71 AB 8D AE 26  ...r..'%=z.q...&
0010: B2 7F A6 6C 21 25 87 2C   D4 51 68 99 83 AC 45 FC  ...l!%.,.Qh...E.
0020: 88 FC A9 69 FB 6E D8 DE   C2 65 36 64 F4 D5 97 38  ...i.n...e6d...8
0030: AD 13 4A 01 62 3F 32 AF   59 00 33 DF E1 F5 49 6D  ..J.b?2.Y.3...Im
0040: D5 22 70 9D E9 FD 12 86   4D 97 AD 31 FE FF 76 16  ."p.....M..1..v.
0050: 0D 1A A6 0C 5D 84 A1 07   1B A7 13 3C 27 65 24 9B  ....]......<'e$.
0060: 85 BB 06 87 F5 34 41 94   73 42 F4 54 83 38 A7 3F  .....4A.sB.T.8.?
0070: 0E EF 5A E4 30 DA D9 31   ED 3B 0F F3 A9 59 00 A6  ..Z.0..1.;...Y..

]

Current key info extracted from CERT.RSA:

$ openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1459342107 (0x56fbcb1b)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=00138, ST=Italia, L=Roma, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, CN=Ipzs S.p.A
        Validity
            Not Before: Mar 30 12:48:27 2016 GMT
            Not After : Mar 24 12:48:27 2041 GMT
        Subject: C=00138, ST=Italia, L=Roma, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, CN=Ipzs S.p.A
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:aa:ce:2f:27:03:af:79:28:49:4c:1f:d5:6f:40:
                    ea:7a:41:79:d6:f3:37:3c:a5:1b:29:c7:5b:5d:12:
                    dc:c7:0d:2f:e8:4d:a2:3a:69:e0:55:25:41:e6:63:
                    23:e8:bc:7b:b6:bc:51:f0:7d:cc:9d:54:76:cb:aa:
                    50:03:b4:95:58:13:31:82:04:e3:48:e0:49:9b:b2:
                    ea:ff:7e:8f:5c:6d:bb:b3:df:65:bc:95:aa:43:dd:
                    39:72:ff:54:72:7c:27:15:b9:6b:b4:c5:1d:52:c8:
                    0a:d0:d7:b9:42:b9:b2:4f:9a:03:8d:25:00:55:03:
                    4b:16:8e:ff:bd:3a:20:02:15
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         11:bf:a4:72:7d:f2:27:25:3d:7a:a1:71:ab:8d:ae:26:b2:7f:
         a6:6c:21:25:87:2c:d4:51:68:99:83:ac:45:fc:88:fc:a9:69:
         fb:6e:d8:de:c2:65:36:64:f4:d5:97:38:ad:13:4a:01:62:3f:
         32:af:59:00:33:df:e1:f5:49:6d:d5:22:70:9d:e9:fd:12:86:
         4d:97:ad:31:fe:ff:76:16:0d:1a:a6:0c:5d:84:a1:07:1b:a7:
         13:3c:27:65:24:9b:85:bb:06:87:f5:34:41:94:73:42:f4:54:
         83:38:a7:3f:0e:ef:5a:e4:30:da:d9:31:ed:3b:0f:f3:a9:59:
         00:a6

It is time to update to a stronger signing key for this Android app! The old default RSA 1024-bit key is weak and officially deprecated.

Note: We should keep in mind that if we use a SHA256 algorithm, the app does not work with some older Android devices (mostly pre Android 4.3). This means that builds made with the new cert management system currently create APK files that may not install on some Android 4.0-4.2 devices (some devices will install, some will fail, depends on the manufacturer).

Quoting this report on Android apps' signing keys:

There is security vs compatibility trade off a few might be interested in. Pre-4.3, Android did not support any signature algorithms except SHA1. With Android >= 4.3, SHA256 support was fixed, and SHA384, SHA512, and ECDSA were added (source). There are still android 2.3.3 (android-10) devices being sold, so anyone interested in backwards compatibility will have to heed this.
Also, the larger the keysize and hashsize used, the longer it takes to install and update the application. So extremely large values might be unsuitable for slower hardware. The following probably doesn’t buy you a tremendous amount of additional security but cranks the paranoia to 11. It does so at the cost of compatibility and performance.

Gen with:
keytool -genkey -v -keystore test.keystore -alias testkey -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -dname "cn=Test,ou=Test,c=CA" -validity 10000

Sign with:
jarsigner -verbose -sigalg SHA512withRSA -digestalg SHA512 -keystore test.keystore test.apk testkey

We can probably rely on what's written here:

keytool -genkey -v -keystore test.keystore -alias testkey -keyalg RSA -keysize 4096 -sigalg SHA1withRSA -dname "cn=Test,ou=Test,c=CA" -validity 10000
do not specify passwords on the command line (i.e. do not use -keypass or -storepass)
-keysize 2048 is the minimum, but -keysize 4096 is better
-keysize 8192 is overkill and might not work on older Android versions
**SHA256withRSA and other better hashes supported on Android 4.3 and above only!**
SHA1withDSA should work, but we haven't tested it

Further references:

• Google's Issue Tracker - "APKs signed using SHA256withRSA or with individual files hashed using SHA-256 fail to install

[gvarisco]

According to the app's metadata, the app already requires Android 4.4 and up. We should be safe.