Missing signs: how several brands forgot to secure a key piece of Android ($7,000 USD)

We discussed this vulnerability during Episode 239 on 05 February 2024

The issue itself is fairly easy to describe, Meta found that of 14 reputable brands seven had releases where one or more preinstalled APEX modules (privileged OS code) were signed using only the test keys that are publicly available in the Android Open Source Project (AOSP) repository.

The exact root cause of this is likely difficult to determine and the OEMs are unlikely to call anything out but Meta does raise a few possibilities:

  1. There is a Compatibility Test Suite which is supposed to enforce some compatibility issues and security guarantees. Looking at the signing keys used is part of both PackageSignatureTest and ApexSignatureVerificationTest. However both of these tests use hard-coded lists of keys which have overtime diverged from what the actual AOSP project uses as test-keys.
  2. The default problem is for AOSP to do the standard build using the test keys to sign all of the OTA updates, APKS, and APEX modules. The OEM should then run a separate script that will replace test keys with release keys according to a specified mapping. If one forgets to specify a test to release key mapping however the test key will just not be replaced without any warnings or indication.
  3. Official document is outdated and initially only mentions signatures being used for APKs and OTA updates, not APEX modules. Its only under the section “Advanced Signing Options” that APEX modules are even mentioned.