F-Droid Fake Signer PoC: Bypassing Certificate Pinning
2025-01-04
This project is a proof-of-concept demonstrating vulnerabilities in F-Droid's APK signature verification. Attackers can exploit these flaws to forge signatures, bypassing F-Droid's certificate pinning and allowing malicious apps to masquerade as legitimate ones. The vulnerabilities stem from inconsistencies in how F-Droid handles certificate order and verification within the APK signing block. By manipulating these inconsistencies, attackers can inject false certificate information, tricking F-Droid into accepting them as valid. While fixes have been proposed and implemented, further vulnerabilities and bypasses have been discovered, highlighting ongoing challenges in securing APK signing verification.