From 64128f8e494e5d1415c23d49fe9374ee07118ef0 Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Wed, 6 Nov 2024 12:11:14 +0000 Subject: [PATCH 1/8] Port MASTG test 0038 --- Document/0x05a-Platform-Overview.md | 11 +++++++- .../MASVS-RESILIENCE/MASTG-TEST-0x38.md | 27 +++++++++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0038.md | 3 +++ tools/android/MASTG-TOOL-0122.md | 21 +++++++++++++++ 4 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md create mode 100644 tools/android/MASTG-TOOL-0122.md diff --git a/Document/0x05a-Platform-Overview.md b/Document/0x05a-Platform-Overview.md index f8fbbd0b81..98ea7ec16c 100644 --- a/Document/0x05a-Platform-Overview.md +++ b/Document/0x05a-Platform-Overview.md @@ -646,12 +646,21 @@ When an application is installed on the Android device, the Package Manager ensu ### APK Signing Schemes -Android supports three application signing schemes. Starting with Android 9 (API level 28), APKs can be verified with APK Signature Scheme v3 (v3 scheme), APK Signature Scheme v2 (v2 scheme) or JAR signing (v1 scheme). For Android 7.0 (API level 24) and above, APKs can be verified with the APK Signature Scheme v2 (v2 scheme) or JAR signing (v1 scheme). For backwards compatibility, an APK can be signed with multiple signature schemes in order to make the app run on both newer and older SDK versions. [Older platforms ignore v2 signatures and verify v1 signatures only](https://source.android.com/security/apksigning/ "APK Signing"). +Android supports multiple application signing schemes: + +- **Below Android 7.0 (API level 24)**: applications can only use the JAR signing (v1) scheme which does not protect all parts of the APK. This scheme is considered insecure. +- **Android 7.0 (API level 24) and above**: applications can use the **v2 signature scheme**, which signs the APK as a whole, providing stronger protection compared to the older v1 (JAR) signing method. +- **Android 9 (API level 28) and above**: It's recommended to use both the **v2 and v3 signature schemes**. The v3 scheme supports **key rotation**, enabling developers to replace keys in the event of a compromise without invalidating old signatures. +- **Android 11 (API level 30) and above**: applications can optionally include the **v4 signature scheme** to enable faster incremental updates. + +For backwards compatibility, an APK can be signed with multiple signature schemes in order to make the app run on both newer and older SDK versions. For example, [older platforms ignore v2 signatures and verify v1 signatures only](https://source.android.com/security/apksigning/). #### JAR Signing (v1 Scheme) The original version of app signing implements the signed APK as a standard signed JAR, which must contain all the entries in `META-INF/MANIFEST.MF`. All files must be signed with a common certificate. This scheme does not protect some parts of the APK, such as ZIP metadata. The drawback of this scheme is that the APK verifier needs to process untrusted data structures before applying the signature, and the verifier discards data the data structures don't cover. Also, the APK verifier must decompress all compressed files, which takes considerable time and memory. +This signature scheme is considered insecure, it is for example affected by the **Janus vulnerability (CVE-2017-13156)**, which can allow malicious actors to modify APK files without invalidating the v1 signature. As such, **v1 should never be relied on for devices running Android 7.0 and above**. + #### APK Signature Scheme (v2 Scheme) With the APK signature scheme, the complete APK is hashed and signed, and an APK Signing Block is created and inserted into the APK. During validation, the v2 scheme checks the signatures of the entire APK file. This form of APK verification is faster and offers more comprehensive protection against modification. You can see the [APK signature verification process for v2 Scheme](https://source.android.com/security/apksigning/v2#verification "APK Signature verification process") below. diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md new file mode 100644 index 0000000000..9887102c06 --- /dev/null +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md @@ -0,0 +1,27 @@ +--- +title: Debuggable Flag Not Disabled in the AndroidManifest +platform: android +id: MASTG-TEST-0x39-1 +type: [static] +available_since: 24 +weakness: MASWE-0104 +--- + +## Overview + +Applications need to be properly signed to safeguard their integrity and protect them from tampering. Android has evolved its signing schemes over time to enhance security, with newer versions offering more robust mechanisms. Check [APK Signing Schemes](../../../Document/0x05a-Platform-Overview.md#signing-process) for more details. + +This test checks if the insecure v1 signature scheme is enabled for applications targetting Android 7.0 (API level 24) and above. + +## Steps + +1. View the `minSDK` version in the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121, and make sure the app targets Android 7.0 (API level 24) and above. +2. List all used signature schemes using @MASTG-TOOL-0122. + +## Observation + +The output should contain the used signature schemes. + +## Evaluation + +The test case fails if the app targets Android 7.0 (API level 24) and above, and the v1 signature scheme is enabled. diff --git a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0038.md b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0038.md index 2d85130a73..625fa03a5a 100644 --- a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0038.md +++ b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0038.md @@ -7,6 +7,9 @@ platform: android title: Making Sure that the App is Properly Signed masvs_v1_levels: - R +status: deprecated +covered_by: [MASTG-TEST-0x38] +deprecation_note: New version available in MASTG V2 --- ## Overview diff --git a/tools/android/MASTG-TOOL-0122.md b/tools/android/MASTG-TOOL-0122.md new file mode 100644 index 0000000000..d776cc3727 --- /dev/null +++ b/tools/android/MASTG-TOOL-0122.md @@ -0,0 +1,21 @@ +--- +title: apksigner +platform: android +source: (https://developer.android.com/tools/apksigner +--- + +[apksigner](https://developer.android.com/tools/apksigner) is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/apksigner`. + +It can be used to verify APK signatures: + +```bash +$ apksigner verify --verbose example.apk +Verifies +Verified using v1 scheme (JAR signing): false +Verified using v2 scheme (APK Signature Scheme v2): true +Verified using v3 scheme (APK Signature Scheme v3): true +Verified using v3.1 scheme (APK Signature Scheme v3.1): false +Verified using v4 scheme (APK Signature Scheme v4): false +Verified for SourceStamp: false +Number of signers: 1 +``` From 05704916e062e7139ef08507b7671228c0902d64 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 7 Nov 2024 16:09:37 +0000 Subject: [PATCH 2/8] fix tool ID --- Document/0x05i-Testing-Code-Quality-and-Build-Settings.md | 2 +- tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md | 2 +- tools/android/{MASTG-TOOL-0122.md => MASTG-TOOL-0123.md} | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) rename tools/android/{MASTG-TOOL-0122.md => MASTG-TOOL-0123.md} (91%) diff --git a/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md b/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md index c4d1337b9c..2803571946 100644 --- a/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md +++ b/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md @@ -24,7 +24,7 @@ Three APK signing schemes are available: - APK Signature Scheme v3 (v3 scheme). The v2 signature, which is supported by Android 7.0 (API level 24) and above, offers improved security and performance compared to v1 scheme. -The V3 signature, which is supported by Android 9 (API level 28) and above, gives apps the ability to change their signing keys as part of an APK update. This functionality assures compatibility and apps continuous availability by allowing both the new and the old keys to be used. Note that it is only available via apksigner at the time of writing. +The V3 signature, which is supported by Android 9 (API level 28) and above, gives apps the ability to change their signing keys as part of an APK update. This functionality assures compatibility and apps continuous availability by allowing both the new and the old keys to be used. Note that it is only available via @MASTG-TOOL-0123 at the time of writing. For each signing scheme the release builds should always be signed via all its previous schemes as well. diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md index 9887102c06..591c5a60ed 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md @@ -16,7 +16,7 @@ This test checks if the insecure v1 signature scheme is enabled for applications ## Steps 1. View the `minSDK` version in the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121, and make sure the app targets Android 7.0 (API level 24) and above. -2. List all used signature schemes using @MASTG-TOOL-0122. +2. List all used signature schemes using @MASTG-TOOL-0123. ## Observation diff --git a/tools/android/MASTG-TOOL-0122.md b/tools/android/MASTG-TOOL-0123.md similarity index 91% rename from tools/android/MASTG-TOOL-0122.md rename to tools/android/MASTG-TOOL-0123.md index d776cc3727..943876075f 100644 --- a/tools/android/MASTG-TOOL-0122.md +++ b/tools/android/MASTG-TOOL-0123.md @@ -1,7 +1,7 @@ --- title: apksigner platform: android -source: (https://developer.android.com/tools/apksigner +source: https://developer.android.com/tools/apksigner --- [apksigner](https://developer.android.com/tools/apksigner) is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/apksigner`. From 349cc7c5a2c6663634941d3098310c0c55d8be48 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 7 Nov 2024 16:48:06 +0000 Subject: [PATCH 3/8] add new technique --- techniques/android/MASTG-TECH-0116.md | 39 +++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 techniques/android/MASTG-TECH-0116.md diff --git a/techniques/android/MASTG-TECH-0116.md b/techniques/android/MASTG-TECH-0116.md new file mode 100644 index 0000000000..f8c8af9fdf --- /dev/null +++ b/techniques/android/MASTG-TECH-0116.md @@ -0,0 +1,39 @@ +--- +title: Obtaining Information about the APK Signature +platform: android +--- + +## Verify APK Signatures + +@MASTG-TOOL-0123 can be used to verify APK signatures: + +```bash +$ apksigner verify --verbose example.apk +Verifies +Verified using v1 scheme (JAR signing): false +Verified using v2 scheme (APK Signature Scheme v2): true +Verified using v3 scheme (APK Signature Scheme v3): true +Verified using v3.1 scheme (APK Signature Scheme v3.1): false +Verified using v4 scheme (APK Signature Scheme v4): false +Verified for SourceStamp: false +Number of signers: 1 +``` + + +## Additional Signature Information + +Additional information about the signature including fields from the signing certificate, digest and key information can be also examined with @MASTG-TOOL-0123: + +```bash +$ apksigner verify --print-certs --verbose example.apk +[...] +Signer #1 certificate DN: CN=Example Developers, OU=Android, O=Example +Signer #1 certificate SHA-256 digest: 1fc4de52d0daa33a9c0e3d67217a77c895b46266ef020fad0d48216a6ad6cb70 +Signer #1 certificate SHA-1 digest: 1df329fda8317da4f17f99be83aa64da62af406b +Signer #1 certificate MD5 digest: 3dbdca9c1b56f6c85415b67957d15310 +Signer #1 key algorithm: RSA +Signer #1 key size (bits): 2048 +Signer #1 public key SHA-256 digest: 296b4e40a31de2dcfa2ed277ccf787db0a524db6fc5eacdcda5e50447b3b1a26 +Signer #1 public key SHA-1 digest: 3e02ebf64f1bd4ca85732186b3774e9ccd60cb86 +Signer #1 public key MD5 digest: 24afa3496f98c66343fc9c8a0a7ff5a2 +``` From 6d4d9c4c40529619c989cac66b6d87d824cc8c93 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 7 Nov 2024 16:48:19 +0000 Subject: [PATCH 4/8] update tool --- tools/android/MASTG-TOOL-0123.md | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/tools/android/MASTG-TOOL-0123.md b/tools/android/MASTG-TOOL-0123.md index 943876075f..5c82b1c0eb 100644 --- a/tools/android/MASTG-TOOL-0123.md +++ b/tools/android/MASTG-TOOL-0123.md @@ -4,18 +4,4 @@ platform: android source: https://developer.android.com/tools/apksigner --- -[apksigner](https://developer.android.com/tools/apksigner) is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/apksigner`. - -It can be used to verify APK signatures: - -```bash -$ apksigner verify --verbose example.apk -Verifies -Verified using v1 scheme (JAR signing): false -Verified using v2 scheme (APK Signature Scheme v2): true -Verified using v3 scheme (APK Signature Scheme v3): true -Verified using v3.1 scheme (APK Signature Scheme v3.1): false -Verified using v4 scheme (APK Signature Scheme v4): false -Verified for SourceStamp: false -Number of signers: 1 -``` +[apksigner](https://developer.android.com/tools/apksigner), available in revision 24.0.3 and higher of the Android SDK Build Tools, is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/apksigner` and can be used to verify APK signatures, rotate keys and display additional information about the signing certificates and keys. \ No newline at end of file From 18416966ad5c8ffa364cdddd3c2429f01e2a4bc5 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 7 Nov 2024 16:50:34 +0000 Subject: [PATCH 5/8] fix title, update to use TECH and add more evaluation --- .../MASVS-RESILIENCE/MASTG-TEST-0x38.md | 28 +++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md index 591c5a60ed..9f4d76cc07 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md @@ -1,5 +1,5 @@ --- -title: Debuggable Flag Not Disabled in the AndroidManifest +title: Usage of Insecure Signature Version platform: android id: MASTG-TEST-0x39-1 type: [static] @@ -15,13 +15,31 @@ This test checks if the insecure v1 signature scheme is enabled for applications ## Steps -1. View the `minSDK` version in the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121, and make sure the app targets Android 7.0 (API level 24) and above. -2. List all used signature schemes using @MASTG-TOOL-0123. +1. Obtain the `minSdkVersion` attribute from the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. +2. List all used signature schemes using @MASTG-TECH-0116 to verify the APK signatures. ## Observation -The output should contain the used signature schemes. +The output should contain the value of the `minSdkVersion` attribute and the used signature schemes (for example `Verified using v3 scheme (APK Signature Scheme v3): true`). ## Evaluation -The test case fails if the app targets Android 7.0 (API level 24) and above, and the v1 signature scheme is enabled. +The test case fails if the app targets Android 7.0 (API level 24) and above, and only the v1 signature scheme is enabled. + +The signing configuration can be managed through Android Studio or the `signingConfigs` section in `build.gradle` or `build.gradle.kts`. To activate both the v3 and v4 schemes, the following values must be set: + +```default +// build.gradle +android { + ... + signingConfigs { + config { + ... + enableV3Signing true + enableV4Signing true + } + } +} +``` + +Note that APK v4 signing is optional and the lack of it does not represent a vulnerability. It is meant to allow developers to quickly deploy large APKs using the [ADB Incremental APK installation](https://developer.android.com/about/versions/11/features#incremental) in Android 11 and above. From 98b6d68aaba3e413515037a3ff355761d90d1048 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 7 Nov 2024 16:50:46 +0000 Subject: [PATCH 6/8] add new test for key size --- .../MASVS-RESILIENCE/MASTG-TEST-0x38-2.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38-2.md diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38-2.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38-2.md new file mode 100644 index 0000000000..df423b2638 --- /dev/null +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38-2.md @@ -0,0 +1,23 @@ +--- +title: Usage of Insecure Signature Key Size +platform: android +id: MASTG-TEST-0x39-2 +type: [static] +weakness: MASWE-0104 +--- + +## Overview + +For Android apps, the cryptographic strength of the APK signature is essential for maintaining the app's integrity and authenticity. Using a signature key with insufficient length, such as an RSA key shorter than 2048 bits, weakens security, making it easier for attackers to compromise the signature. This vulnerability could allow malicious actors to forge signatures, tamper with the app's code, or distribute unauthorized, modified versions. + +## Steps + +1. List the additional signature information using @MASTG-TECH-0116. + +## Observation + +The output should contain the information about the key size in a line like: `Signer #1 key size (bits):`. + +## Evaluation + +The test case fails if any of the key sizes (in bits) is less than 2048 (RSA). For example, `Signer #1 key size (bits): 1024`. From a5636b0a671649036f4c419d3153e0cc73b463fa Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Thu, 7 Nov 2024 17:03:44 +0000 Subject: [PATCH 7/8] fix markdown, update tool execution command --- techniques/android/MASTG-TECH-0116.md | 1 - tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md | 4 ++-- tools/android/MASTG-TOOL-0123.md | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/techniques/android/MASTG-TECH-0116.md b/techniques/android/MASTG-TECH-0116.md index f8c8af9fdf..db45822830 100644 --- a/techniques/android/MASTG-TECH-0116.md +++ b/techniques/android/MASTG-TECH-0116.md @@ -19,7 +19,6 @@ Verified for SourceStamp: false Number of signers: 1 ``` - ## Additional Signature Information Additional information about the signature including fields from the signing certificate, digest and key information can be also examined with @MASTG-TOOL-0123: diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md index 9f4d76cc07..2c7cb89862 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md @@ -11,12 +11,12 @@ weakness: MASWE-0104 Applications need to be properly signed to safeguard their integrity and protect them from tampering. Android has evolved its signing schemes over time to enhance security, with newer versions offering more robust mechanisms. Check [APK Signing Schemes](../../../Document/0x05a-Platform-Overview.md#signing-process) for more details. -This test checks if the insecure v1 signature scheme is enabled for applications targetting Android 7.0 (API level 24) and above. +This test checks if the insecure v1 signature scheme is enabled for applications targeting Android 7.0 (API level 24) and above. ## Steps 1. Obtain the `minSdkVersion` attribute from the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. -2. List all used signature schemes using @MASTG-TECH-0116 to verify the APK signatures. +2. List all used signature schemes using the `verify` command of @MASTG-TOOL-0123 as shown in @MASTG-TECH-0116. ## Observation diff --git a/tools/android/MASTG-TOOL-0123.md b/tools/android/MASTG-TOOL-0123.md index 5c82b1c0eb..6109baad78 100644 --- a/tools/android/MASTG-TOOL-0123.md +++ b/tools/android/MASTG-TOOL-0123.md @@ -4,4 +4,4 @@ platform: android source: https://developer.android.com/tools/apksigner --- -[apksigner](https://developer.android.com/tools/apksigner), available in revision 24.0.3 and higher of the Android SDK Build Tools, is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/apksigner` and can be used to verify APK signatures, rotate keys and display additional information about the signing certificates and keys. \ No newline at end of file +[apksigner](https://developer.android.com/tools/apksigner), available in revision 24.0.3 and higher of the Android SDK Build Tools, is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/apksigner` and can be used to verify APK signatures, rotate keys and display additional information about the signing certificates and keys. From 6bc39aa40660eed1ef038296191df2ce0fad14fc Mon Sep 17 00:00:00 2001 From: titze Date: Thu, 7 Nov 2024 20:01:26 +0100 Subject: [PATCH 8/8] Apply suggestions from code review Co-authored-by: Carlos Holguera --- .../android/MASVS-RESILIENCE/MASTG-TEST-0x38.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md index 2c7cb89862..3562989962 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md @@ -9,9 +9,11 @@ weakness: MASWE-0104 ## Overview -Applications need to be properly signed to safeguard their integrity and protect them from tampering. Android has evolved its signing schemes over time to enhance security, with newer versions offering more robust mechanisms. Check [APK Signing Schemes](../../../Document/0x05a-Platform-Overview.md#signing-process) for more details. +Not using newer APK signing schemes means that the app lacks the enhanced security provided by more robust, updated mechanisms. -This test checks if the insecure v1 signature scheme is enabled for applications targeting Android 7.0 (API level 24) and above. +This test checks if the outdated v1 signature scheme is enabled. The v1 scheme is vulnerable to certain attacks, such as the "Janus" vulnerability ([CVE-2017-13156](https://nvd.nist.gov/vuln/detail/CVE-2017-13156)), because it does not cover all parts of the APK file, allowing malicious actors to potentially **modify parts of the APK without invalidating the signature**. Relying solely on v1 signing therefore increases the risk of tampering and compromises app security. + +To learn more about APK Signing Schemes, see [this document](../../../Document/0x05a-Platform-Overview.md#signing-process). ## Steps @@ -24,7 +26,9 @@ The output should contain the value of the `minSdkVersion` attribute and the use ## Evaluation -The test case fails if the app targets Android 7.0 (API level 24) and above, and only the v1 signature scheme is enabled. +The test case fails if the app has a `minSdkVersion` attribute of 24 and above, and only the v1 signature scheme is enabled. + +To mitigate this issue, ensure that the app is signed with at least the v2 or v3 APK signing scheme, as these provide comprehensive integrity checks and protect the entire APK from tampering. For optimal security and compatibility, consider using v3, which also supports key rotation. Optionally, you can add v4 signing to enable faster [incremental updates](https://developer.android.com/about/versions/11/features#incremental) in Android 11 and above, but v4 alone does not provide security protections and should be used alongside v2 or v3. The signing configuration can be managed through Android Studio or the `signingConfigs` section in `build.gradle` or `build.gradle.kts`. To activate both the v3 and v4 schemes, the following values must be set: @@ -41,5 +45,3 @@ android { } } ``` - -Note that APK v4 signing is optional and the lack of it does not represent a vulnerability. It is meant to allow developers to quickly deploy large APKs using the [ADB Incremental APK installation](https://developer.android.com/about/versions/11/features#incremental) in Android 11 and above.