All geek questions in one place

Security warning: application contains embedded private keys or keystore files

Recently received mail from Google:

This is a notification that your com.myapp application (s) contains one or more private keys or keystore files embedded in its published apk, as listed at the end of this letter. Access to these built-in elements by third parties, which may raise different depending on what the key is used for. For example, if the private key is the signature key for your application, a third-party can sign and distribute applications that replace your authentic applications or corrupt them. Such party may also sign and distribute applications in accordance with your identity.

As a general security practice, we strongly recommend embedding private keys and key files in applications, even if the keys are password protected or confused. The most effective way is to protect your private key, and the keystore files should not distribute them.

Delete your private keys and keystore files from your application is your early convenience. Each application is different, but if you’re not sure how to find the keys and keystore files in your application, you can try to find files with the keystore and grepping file extension for “PRIVATE KEY”. For more information about saving your key, please see https://developer.android.com/tools/publishing/app-signing.html .

You have the responsibility as a developer to ensure the security of your private key correctly, at all times. Please note that while it is not clear what specific problems affect your application, applications with vulnerabilities that expose users to the risk of compromise may be considered “dangerous products” and must be removed from Google Play.

To check if future versions of your apps contain private keys, see the "Alerts" section in the Google Play Developer Console. https://play.google.com/apps/publish/#AlertsPlace .

Affected applications and built-in element patterns: repack / org / BouncyCastle / OpenSSL / test / data / DSA / openssl_dsa_aes128_cbc.pem repack / org / BouncyCastle / OpenSSL / test / data / DSA / openssl_dsa_aes128_cfb.pem repacLast / org BlecyCast / org Bac /data/DSA/openssl_dsa_aes128_ecb.pem repack / org / BouncyCastle / OpenSSL / test / data / DSA / openssl_dsa_aes128_ofb.pem RePack / org / BouncyCastle / OpenSSL / test / data / DSA / openssl_dsc_esabc.19es

I am using a library (jar file) which contains the above .pem files. These files have the keyword "PRIVATE KEY". I do not disclose my private key or key store anywhere in the APK package. What can I do to solve this problem? What changes did I make to the JAR file or the APK application? Please, help.

+6
source share
3 answers

Today I got a very similar message from Google about this. After the investigation, I found the same files that you indicated in one of my cans. I solved this problem by deleting the entire openssl folder from the jar using the following console command.

zip --delete AFFECTEDJAR.jar "repack/org/bouncycastle/openssl/*"

I would suggest checking if the java class is in this folder before running this. In my case, there was still nothing but test data.

Hope this helps.

+4
source

Most likely, you do not need these files in the application. Just remove them from the export process when you release the application. I assume that they are located inside the project directly for the convenience of passing the application and saving them next to the project.

If so, simply move the keystores outside the package and reference them separately when necessary so that they are not packaged.

0
source

Source: https://habr.com/ru/post/976380/

More articles:


All Articles