You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The official documentation for Code Transparency for App Bundles 1 states that "The code transparency file is a JSON Web Token (JWT) that contains a list of DEX files and native libraries included in the bundle, and their hashes." During verification, bundletool checks that "all DEX and native code files present in the APKs have matching hashes in the code transparency file".
This description already hints at an inconsistency in the implementation of bundletool: During certificate transparency creation, only DEX and SO files in the standard locations are considered. However, verification (in APK mode) checks that any DEX and SO files in the APKs contain valid entries in the certificate transparency JWT. As a result, apps that contain SO or DEX files in non-standard locations (e.g. in their assets or resources) always fail code transparency verification, even if they have not been modified between creation and verification:
(app-release.aab is the App Bundle of an app that contains a DEX file in its assets)
$ bundletool add-transparency --bundle=app-release.aab --output=app-release.signed.aab --ks=ct.jks --ks-key-alias=ct
$ bundletool check-transparency --mode apk --apk-zip tmp-apks.zip
APK signature is valid. SHA-256 fingerprint of the apk signing key certificate (must be compared with the developer's public key manually): 2A 43 80 D2 23 77 EF 04 AC 8B D8 59 D4 E3 66 4D 29 48 47 EC 84 D3 21 6F F7 12 F7 3A AF 1B AA 43
Verification failed because code was modified after code transparency metadata generation. Modified files: [assets/audience_network.dex]
This issue effectively prevents applications that contain SO or DEX files in non-standard locations from using Code Transparency altogether. This puts them at risk of supply chain attacks involving the platform they use for distributing their AAB, typically the app store they use.
Please note that e.g. the Facebook Audience Network SDK 2, the second most popular advertisement library for Android 3, ships with a DEX file in its assets folder. As a result, all apps that integrate the library suffer from this issue.
Bundletool version(s) affected
1.16.0 and below
Stacktrace
Not relevant
To Reproduce
Build an Android Application Bundle: Menu Build > Build Bundle(s) / APK(s) > Build Bundle(s)
Locate the app bundle (.aab file)
Use bundletool to add Code Transparency to the bundle: $ bundletool add-transparency --bundle=app-release.aab --output=app-release.ct.aab --ks=ct.jks --ks-key-alias=ct
Build APKs from the bundle: $ bundletool build-apks --bundle app-release.ct.aab --output app-release.ct.apks
Extract the master APK from the APKs file: unzip -p app-release.ct.apks splits/base-master.apk >base-master.apk
Zip the master APK: zip tmp-apks.zip base-master.apk
Check the code transparency using bundletool: bundletool check-transparency --mode=apk --apk-zip=tmp-apks.zip
The APK file fails code transparency verification even though it has not been modified.
Expected behavior
Code Tranparency validation should succeed for the APK, since clearly it has not been modified.
The text was updated successfully, but these errors were encountered:
Describe the bug
The official documentation for Code Transparency for App Bundles 1 states that "The code transparency file is a JSON Web Token (JWT) that contains a list of DEX files and native libraries included in the bundle, and their hashes." During verification, bundletool checks that "all DEX and native code files present in the APKs have matching hashes in the code transparency file".
This description already hints at an inconsistency in the implementation of bundletool: During certificate transparency creation, only DEX and SO files in the standard locations are considered. However, verification (in APK mode) checks that any DEX and SO files in the APKs contain valid entries in the certificate transparency JWT. As a result, apps that contain SO or DEX files in non-standard locations (e.g. in their assets or resources) always fail code transparency verification, even if they have not been modified between creation and verification:
(app-release.aab is the App Bundle of an app that contains a DEX file in its assets)
This issue effectively prevents applications that contain SO or DEX files in non-standard locations from using Code Transparency altogether. This puts them at risk of supply chain attacks involving the platform they use for distributing their AAB, typically the app store they use.
Please note that e.g. the Facebook Audience Network SDK 2, the second most popular advertisement library for Android 3, ships with a DEX file in its assets folder. As a result, all apps that integrate the library suffer from this issue.
Bundletool version(s) affected
1.16.0 and below
Stacktrace
Not relevant
To Reproduce
$ bundletool add-transparency --bundle=app-release.aab --output=app-release.ct.aab --ks=ct.jks --ks-key-alias=ct$ bundletool build-apks --bundle app-release.ct.aab --output app-release.ct.apksunzip -p app-release.ct.apks splits/base-master.apk >base-master.apkzip tmp-apks.zip base-master.apkbundletool check-transparency --mode=apk --apk-zip=tmp-apks.zipExpected behavior
Code Tranparency validation should succeed for the APK, since clearly it has not been modified.
The text was updated successfully, but these errors were encountered: