Missing Signature Verification
Missing Signature Verification
Description
The application was re-signed with a different certificate and continued to run normally.
An attacker can repackage the app — for example to inject malware, remove license checks, or insert ad SDKs — and redistribute it without detection. Because the app performs no runtime signature check, it cannot distinguish the legitimate build from a tampered one.
Common attack scenarios:
- Malware injection: Decompile, inject malicious code, re-sign, redistribute via third-party stores.
- License bypass: Remove in-app purchase or license validation logic before re-signing.
- Ad fraud: Swap ad SDK identifiers to hijack revenue.
Recommendation
Implement runtime signature verification by comparing the APK signing certificate hash against a value hardcoded at build time.
private boolean isSignatureValid(Context context) {
try {
PackageInfo info = context.getPackageManager().getPackageInfo(
context.getPackageName(), PackageManager.GET_SIGNATURES);
for (Signature sig : info.signatures) {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(sig.toByteArray());
String actual = Base64.encodeToString(md.digest(), Base64.DEFAULT).trim();
if (!EXPECTED_SIGNATURE.equals(actual)) return false;
}
return true;
} catch (Exception e) {
return false;
}
}
Additional hardening recommendations:
- Move the check into a native (JNI) function to make static patching harder.
- Terminate or wipe sensitive state immediately on a failed check — do not degrade gracefully.
- Avoid storing
EXPECTED_SIGNATUREas a plain string literal; obfuscate or derive it at runtime.
Links
Standards
- OWASP_MASVS_RESILIENCE:
- MSTG_RESILIENCE_3
- OWASP_MASVS_v2_1:
- MASVS_RESILIENCE_1
- PCI_STANDARDS:
- REQ_6_2
- REQ_6_3
- SOC2_CONTROLS:
- CC_7_1
- CC_7_2
- HIPAA_CONTROLS:
- SECURITY212
- SECURITY213
- OWASP_MOBILE_TOP_10:
- M7_2024