理解した気になるApplication Signing

TIJCVZBBQL+VNQFJ.BUTVEB !SFE@GBU@EBSVNB ͳΜͱͳ͘ɺ ͦ͜͸͔ͱͳ͘ɺ ͍͍͔Μ͡ʹɺ ;Θͬͱɺ ཧղͨ͠ؾʹͳΕΔ"QQMJDBUJPO4JHOJOH 1

"OESPJEͷ"QQMJDBUJPO4JHOJOHͱ͸ w "1,ϑΝΠϧʹॺ໊͢Δ͜ͱɺ·ͨ͸ͦͷॺ໊৘ใͦͷ΋ͷ w ॺ໊ͷݕূΛ௨ͯ͠ɺ"1,ϑΝΠϧͷ*OUFHSJUZΛอূ͢Δ w *OUFHSJUZ׬શੑPS੔߹ੑ w ͬ͘͟Γݴ͏ͱʮॺ໊ஈ֊͔Βվ͟Μ͞Ε͍ͯͳ͍͜ͱʯ͕෼͔Δ w
ҟͳΔύοέʔδ໊Ͱ΋ಉ͡ॺ໊͸Ͱ͖Δ͠ɺಉ୺຤ʹΠϯετʔϧ͕Մೳ 2

Α͋͘Δޡղ w ❌ਖ਼͍͠ॺ໊Ͱ͋Ε͹ͦͷΞϓϦϑΝΠϧ͸҆શͰ͋Δ w ❌ͦͷॺ໊Λͨ͠ͻͱɾ૊৫ͷ਎ݩ͕อূ͞ΕΔ w ❌ࠓݱࡏ ݕূ࣌ ɺͦͷॺ໊ͷݩʹͳͬͨ伴͕։ൃݩʹ͓͍ͯ༗ޮͰ͋Δ w
BOETPPO 3

🤯 4

*OUFHSJUZ͕อূ͞ΕΔͱԿ͕خ͍͠ͷ w ةݥɾಛݖૢ࡞ʹ͓͍ͯ΋ਪఆͷอূΛ͢Δ͜ͱ͕Ͱ͖Δ w ྫ͑͹ΞϓϦͷΠϯετʔϧɾΞοϓσʔτ͸ຆͲͷૢ࡞͕ಛݖૢ࡞ w ύοέʔδ໊͸໊લۭؒҎ্ͷ৴པੑΛ࣋ͨͳ͍ͷͰҰக͚ͩͰ͸ෆे෼ w 㱺ΑΓ৴པͰ͖ΔԿ͔͕ඞཁ w
*OUFHSJUZΛߟ͑ͣʹ࣮ݱ͢Δʹ͸ w ૢ࡞ऀݸਓͷ੹೚ͷ΋ͱɺಛݖΛڐՄ͢Δͱ͍ͬͨૢ࡞͕ඞཁ 5

*OUFHSJUZ͕อূ͞ΕΔͱԿ͕خ͍͠ͷ w *OUFHSJUZΛར༻ͨ͠৴པͷ࣮ྫ w ҟͳΔͭͷ"1,ϑΝΠϧ͕ಉॺ໊Λ࣋ͭ㱺ॴ༗ऀͷҰகΛ৴པ w ಉύοέʔδ໊Ͱಉॺ໊ͷϑΝΠϧ㱺ॴ༗ऀʹΑΔΞοϓσʔτͱਪఆ w ॴ༗ऀ͕ಉҰͷҟͳΔͭͷΞϓϦ㱺QFSNJTTJPOΛࣗಈ෇༩FUD w
ͦͷอূͷ͔֬͞΍৘ใྔ૿ՃͳͲʹ͍ͭͯɺվળ͕ॏͶΒΕ͍ͯΔ w ೥ݱࡏɺछྨͷॺ໊ํࣜ 4JHOBUVSF4DIFNF ͕ଘࡏ͢Δ 6

"1,4JHOBUVSF4DIFNFT w ॺ໊৘ใͷ࢓༷ɾදݱܗࣜ w ݱࡏW W W W Wͷ࢓༷ ࣌ܥྻॱ
w W W W͸ಉ͡ઃܭࢥ૝ͷͨΊɺW ͱ΋ݺ͹ΕΔ w ݕূͷखॱ΋ͦΕͧΕͰࢦఆ͕͋Δ w ͨͩ͠ॺ໊ݕূػߏ͸04࣮૷ʹ͋ΔͷͰɺ࣮ߦ୺຤ʹґଘ͢Δ w $54͸͋ΔͷͰɺଟ͘ͷਓʹ͸໰୊͕ͳ͍ w ڍಈมߋ΍ෆ۩߹౳Ͱ04όʔδϣϯ͝ͱʹएׯڍಈ͕ҟͳΔ͜ͱ΋ 7

"1,4JHOBUVSF4DIFNFͷݕূ֓ཁ w ͦͷ୺຤͕ೝࣝͰ͖Δ࠷େ ͷTDIFNF͔Βॱ൪ʹԼΔܗͰݕূ w W͕ෆਖ਼ͳΒ୅ΘΓʹWΛݕূ͢Δɾɾɾͱ͸ͳΒͳ͍ 8 https://source.android.com/docs/security/features/apksigning/v4

"1,4JHOBUVSF4DIFNFW w +BSͷॺ໊ʹجͮ͘"1,޲͚ͷ֦ுํࣜ w 㲈;*1ϑΝΠϧͱͯ͠ͷॺ໊ w ηΩϡϦςΟతͳ໰୊ FH$7&r ͔Βݱࡏ͸ඇਪ঑ w
վ͟ΜΛݫີʹ๷͛ΔΘ͚Ͱ͸ͳ͍FH.&5"*/'಺ͷϑΝΠϧ w ݕূ࣌ʹVODPNQSFTT͕ඞཁͳͷͰϦεΫɾίετ͕ߴ͍ w ݱࡏͰ΋"1*ҎԼͷ୺຤Ͱಈ͔͢ͱ͖͸ඞཁʹͳͬͯ͠·͏ w .JO4%,Ҏ্΁ͷઃఆΛڧ͘ਪ঑͠·͢ 9

"1,4JHOBUVSF4DIFNFWҎ্ڞ௨஌ࣝ w ݱঢ়ͷجૅͰ͋ΓɺWͱ͸શ͘ҟͳΔํࣜ w ;*1Ͱ͸ͳ͘όΠφϦͱͯ͠ѻ͍ɺϑΝΠϧશମͷอޢ͕Մೳʹ w WؚΊɺ֤4DIFNFͱ૊Έ߹Θͤ͸ڞଘՄೳ Ұ෦௥Ճཁ݅༗Γ w
4DIFNF͝ͱʹఆٛ͞Εͨ*%Λ࣋ͭॺ໊ϒϩοΫΛԼهྖҬʹ௥Ճ͢Δ w ͦͷϒϩοΫ*%Λ஌Βͳ͍04͸ೝࣝͰ͖ͳ͍ ෆਖ਼ͱ΋ࢥΘͳ͍ 10 https://source.android.com/docs/security/features/apksigning/v2

"1,4JHOBUVSF4DIFNFW w ϑΝΠϧશମʹରͯ͠վ͟Μݕ஌͕Ͱ͖ΔΑ͏ʹͳͬͨॳΊͯͷॺ໊ํࣜ w "1* "OESPJE/ ͔Βಋೖ w 5BSHFU4%,Ҏ্ͩͱɺ"1*Ҏ߱ͷ୺຤Ͱඞਢʹ w
"1*ҎԼ͸Wॺ໊͔͠ೝࣝͰ͖ͳ͍఺ʹ஫ҙ w Ωʔϩʔςʔγϣϯʹ͸ରԠ͍ͯ͠ͳ͍ 11

"1,4JHOBUVSF4DIFNFW w Ωʔϩʔςʔγϣϯ͕ՄೳʹͳͬͨॳΊͯͷॺ໊ํࣜ w "1* "OESPJE1 ͔Βಋೖ w ݪଇɺ"1*ҎԼ༻ʹWॺ໊ ϩʔςʔγϣϯલͷॺ໊
Λ͢Δ w Ҏલͷॺ໊΁໭͢ SPMMCBDL ڐՄͳͲͷDBQBCJMJUZͷ؅ཧ΋Ͱ͖Δ w ෳ਺伴ʹΑΔॺ໊͸αϙʔτ͍ͯ͠ͳ͍ w "1*Ͱෆ۩߹΍ഁյతมߋ͕ೖΔͳͲɺ࢓༷͕ෆ҆ఆʹ 12

"1,4JHOBUVSF4DIFNFW w ετϦʔϛϯάରԠΛͨ͠ॳΊͯͷॺ໊ํࣜͰɺݱঢ়͸།Ұ w "1* "OESPJE3 ͔Βಋೖ w W ͱิ׬తʹಈ࡞͢Δ΋ͷͰɺWͷ७ਮ֦ுͰ͸ͳ͍
w Wͷॺ໊৘ใ͸ผϑΝΠϧ JETJH ͱͯ͠อଘ͞ΕΔ w "1,αΠζ͕େ͖͘ͳ͍ͱԸܙʹؾ͖ͮͮΒ͍͔΋ w BECJOTUBMMJODSFNFOUBM࣌ʹॺ໊ݕূ͕ૣ͘ऴΘͬͯخ͍͠ w ·ͨݱࡏɺ(PPHMF1MBZ͔ΒΠϯετʔϧ͢Δ৔߹ʹ࢖ΘΕ͍ͯΔ 13

"1,4JHOBUVSF4DIFNFW w ೥ݱࡏɺΩʔϩʔςʔγϣϯΛ͢Δ৔߹ͷਪ঑ॺ໊ํࣜ w "1* "OESPJE5 Ͱಋೖ w "1*Ͱద༻͞ΕͨW΁ͷվળΛؚΜ֦ͩு w
ॺ໊ϒϩοΫʹ5BSHFU"1*Λࢦఆग़དྷΔΑ͏ʹͳͬͨ w "1*͕࠷৽ͷݱঢ়ͩͱಛஈҙࣝ͠ͳ͍͕ɺࠓޙޮ͍ͯ͘Δ ͸ͣ 14 (API 31, API 32 ͱมߋ͕ೖͬͨͳΒ v3.3 Ͱ͸ɾɾɾ?)

૊Έ߹Θͤʹ͍ͭͯ w ٕज़తʹ͸೚ҙͷ૊Έ߹Θ͕ͤ༗ΓಘΔ w ࣮ͨͩ͠༻ੑΛߟྀ͢Δͱ.JO4%,ʹ݁ہҾ͖ͣΒΕΔ w ͦͷ"1*Ϩϕϧ͕৴པ͍ͯ͠Δॺ໊ํ͕ࣜͭͰ΋͋Ε͹WBMJEѻ͍ 15 API Ϩϕϧ
v1 v2 v3 v3.1 24 28 33

͏ʔΜɾɾɾ w ͦͷΞϓϦͷ։ൃݩͬͯຊ౰ʹ෼͔Βͳ͍ͷ w 04͝ͱʹೝࣝͰ͖Δॺ໊ํ͕ࣜҧ͏ͳΒɺݹ͍୺຤͸੬ऑͳͷͰ͸ w ϩʔςʔγϣϯޙͷ伴Λೝࣝ͢Δ͚ͩ͡Όͪΐͬͱෆ଍ͯ͠ͳ͍
w લͷ伴Λࣦޮ͍ͤͨ͞Μ͚ͩͲɾɾɾ w ͜ͷόʔδϣϯҎ্͸৽͍͠伴͡Όͳ͍ͱΠϯετʔϧͤͨ͘͞ͳ͍Α 16

ॺ໊ݕূͱ࿈ಈ͢ΔՁ஋ͷྫ w Πϯετʔϧݩ FH(PPHMF1MBZ ʹΑΔΞϓϦ഑৴ऀͷ਎ݩอূ w 1MBZ"QQ4JHOJOHʹΑΔ伴ͷ؅ཧ w ࠷ऴॺ໊ʹؔΘΔൿີ伴Λ։ൃऀ͕࣋ͭඞཁ͕ͳ͘ͳΔ w
ϩʔςʔγϣϯʹؔ͢Δ伴৘ใͳͲΛ1MBZ1SPUFDU΁ఏڙͰ͖Δ w 1MBZ1SPUFDUʹΑΔΠϯετʔϧલݕূ w ݹ͍04Ͱ΋৽͍͠ॺ໊ํࣜͷݕূ΍ࣦޮͨ͠伴ͷڋ൱Λߦ͑Δ w ةݥͳΞϓϦΛΠϯετʔϧલʹ஄͘ 17

ࣗ෼Ͱ΋ͬͱֶͼ͍ͨ w ࣮ߦதͷ୺຤Ͱ1BDLBHF.BOBHFS"1*Λ࢖͏ w ͨͩ͠'JSF04͸Ұ෦"1*͕ద੾ʹಈ࡞͠ͳ͍ w 04ʹ͋Δ4JHOBUVSFؔ܎ͷΫϥε͸ษڧ޲͖Ͱ͸ͳ͍ w FHTDIFNFWFSTJPO΍MJOFBHF͕OPOQVCMJD"1* w
CVJMEUPPMTͷBQLTJHOFSΛ࢖͏ w ΦϓγϣϯΛ͏·͘૊Έ߹Θͤͳ͍ͱॺ໊ํࣜผͷݕূ͕Ͱ͖ͳ͍ w ΞϓϦݕূΛߦ͏7FSJ fi DBUJPO4FSWJDF"QQΛ࡞Δ w 4ZTUFNQFSNJTTJPOͳͷͰ໘౗͍͘͞$54͘Β͍͔͠ࢀߟࢿྉ͸ͳ͍ 18

😇 19

·ͱΊ w "QQMJDBUJPO4JHOJOH͸ϑΝΠϧͷ*OUFHSJUZΛอূ͢Δ w ͦͷੑ࣭Λར༻ͨ͠ػೳ͕͍ͭ͘΋ఏڙ͞Ε͍ͯΔ w ৴པੑ޲্΍։ൃऀ΁ͷརศੑͷͨΊɺ৭ʑͳվળ͕Ճ͑ΒΕ͖ͯͨ w WWW ௒͑ΒΕͳ͍น
W w W͸W ͱซ༻͢ΔύϑΥʔϚϯεվળ༻్ w ݪଇɺ1MBZ"QQ4JHOJOHΛ࢖͑͹ҙࣝ͠ͳͯ͘ࡁΉ w ೉ͦ͠͏ͳΒ.JO4%, WରԠόʔδϣϯ ʹ͠Α͏ 20

3FGFSFODFT w IUUQTFOHJOFFSJOHMJOFDPSQDPNKBCMPHBJSHPBQLTJHOJOH w IUUQTTPVSDFBOESPJEDPNEPDTTFDVSJUZGFBUVSFTBQLTJHOJOH w IUUQTTVQQPSUHPPHMFDPNHPPHMFQMBZBOESPJEEFWFMPQFSBOTXFS IMFO 21

理解した気になるApplication Signing

理解した気になるApplication Signing

Matsuda Jumpei

More Decks by Matsuda Jumpei

Featured

Transcript

TIJCVZBBQL+VNQFJ.BUTVEB !SFE@GBU@EBSVNB ͳΜͱͳ͘ɺ ͦ͜͸͔ͱͳ͘ɺ ͍͍͔Μ͡ʹɺ ;Θͬͱɺ ཧղͨ͠ؾʹͳΕΔ"QQMJDBUJPO4JHOJOH 1

"OESPJEͷ"QQMJDBUJPO4JHOJOHͱ͸ w "1,ϑΝΠϧʹॺ໊͢Δ͜ͱɺ·ͨ͸ͦͷॺ໊৘ใͦͷ΋ͷ w ॺ໊ͷݕূΛ௨ͯ͠ɺ"1,ϑΝΠϧͷOUFHSJUZΛอূ͢Δ w OUFHSJUZ׬શੑPS੔߹ੑ w ͬ͘͟Γݴ͏ͱʮॺ໊ஈ֊͔Βվ͟Μ͞Ε͍ͯͳ͍͜ͱʯ͕෼͔Δ w

Α͋͘Δޡղ w ❌ਖ਼͍͠ॺ໊Ͱ͋Ε͹ͦͷΞϓϦϑΝΠϧ͸҆શͰ͋Δ w ❌ͦͷॺ໊Λͨ͠ͻͱɾ૊৫ͷ਎ݩ͕อূ͞ΕΔ w ❌ࠓݱࡏ ݕূ࣌ ɺͦͷॺ໊ͷݩʹͳͬͨ伴͕։ൃݩʹ͓͍ͯ༗ޮͰ͋Δ w

🤯 4

*OUFHSJUZ͕อূ͞ΕΔͱԿ͕خ͍͠ͷ w ةݥɾಛݖૢ࡞ʹ͓͍ͯ΋ਪఆͷอূΛ͢Δ͜ͱ͕Ͱ͖Δ w ྫ͑͹ΞϓϦͷΠϯετʔϧɾΞοϓσʔτ͸ຆͲͷૢ࡞͕ಛݖૢ࡞ w ύοέʔδ໊͸໊લۭؒҎ্ͷ৴པੑΛ࣋ͨͳ͍ͷͰҰக͚ͩͰ͸ෆे෼ w 㱺ΑΓ৴པͰ͖ΔԿ͔͕ඞཁ w

OUFHSJUZ͕อূ͞ΕΔͱԿ͕خ͍͠ͷ w OUFHSJUZΛར༻ͨ͠৴པͷ࣮ྫ w ҟͳΔͭͷ"1,ϑΝΠϧ͕ಉॺ໊Λ࣋ͭ㱺ॴ༗ऀͷҰகΛ৴པ w ಉύοέʔδ໊Ͱಉॺ໊ͷϑΝΠϧ㱺ॴ༗ऀʹΑΔΞοϓσʔτͱਪఆ w ॴ༗ऀ͕ಉҰͷҟͳΔͭͷΞϓϦ㱺QFSNJTTJPOΛࣗಈ෇༩FUD w

"1,4JHOBUVSF4DIFNFT w ॺ໊৘ใͷ࢓༷ɾදݱܗࣜ w ݱࡏW W W W Wͷ࢓༷ ࣌ܥྻॱ

"1,4JHOBUVSF4DIFNFͷݕূ֓ཁ w ͦͷ୺຤͕ೝࣝͰ͖Δ࠷େ ͷTDIFNF͔Βॱ൪ʹԼΔܗͰݕূ w W͕ෆਖ਼ͳΒ୅ΘΓʹWΛݕূ͢Δɾɾɾͱ͸ͳΒͳ͍ 8 https://source.android.com/docs/security/features/apksigning/v4

"1,4JHOBUVSF4DIFNFW w +BSͷॺ໊ʹجͮ͘"1,޲͚ͷ֦ுํࣜ w 㲈;*1ϑΝΠϧͱͯ͠ͷॺ໊ w ηΩϡϦςΟతͳ໰୊ FH$7&r ͔Βݱࡏ͸ඇਪ঑ w

"1,4JHOBUVSF4DIFNFWҎ্ڞ௨஌ࣝ w ݱঢ়ͷجૅͰ͋ΓɺWͱ͸શ͘ҟͳΔํࣜ w ;*1Ͱ͸ͳ͘όΠφϦͱͯ͠ѻ͍ɺϑΝΠϧશମͷอޢ͕Մೳʹ w WؚΊɺ֤4DIFNFͱ૊Έ߹Θͤ͸ڞଘՄೳ Ұ෦௥Ճཁ݅༗Γ w

"1,4JHOBUVSF4DIFNFW w ϑΝΠϧશମʹରͯ͠վ͟Μݕ஌͕Ͱ͖ΔΑ͏ʹͳͬͨॳΊͯͷॺ໊ํࣜ w "1 "OESPJE/ ͔Βಋೖ w 5BSHFU4%,Ҏ্ͩͱɺ"1Ҏ߱ͷ୺຤Ͱඞਢʹ w

"1,4JHOBUVSF4DIFNFW w Ωʔϩʔςʔγϣϯ͕ՄೳʹͳͬͨॳΊͯͷॺ໊ํࣜ w "1 "OESPJE1 ͔Βಋೖ w ݪଇɺ"1ҎԼ༻ʹWॺ໊ ϩʔςʔγϣϯલͷॺ໊

"1,4JHOBUVSF4DIFNFW w ετϦʔϛϯάରԠΛͨ͠ॳΊͯͷॺ໊ํࣜͰɺݱঢ়͸།Ұ w "1* "OESPJE3 ͔Βಋೖ w W ͱิ׬తʹಈ࡞͢Δ΋ͷͰɺWͷ७ਮ֦ுͰ͸ͳ͍

"1,4JHOBUVSF4DIFNFW w ೥ݱࡏɺΩʔϩʔςʔγϣϯΛ͢Δ৔߹ͷਪ঑ॺ໊ํࣜ w "1 "OESPJE5 Ͱಋೖ w "1Ͱద༻͞ΕͨW΁ͷվળΛؚΜ֦ͩு w

૊Έ߹Θͤʹ͍ͭͯ w ٕज़తʹ͸೚ҙͷ૊Έ߹Θ͕ͤ༗ΓಘΔ w ࣮ͨͩ͠༻ੑΛߟྀ͢Δͱ.JO4%,ʹ݁ہҾ͖ͣΒΕΔ w ͦͷ"1*Ϩϕϧ͕৴པ͍ͯ͠Δॺ໊ํ͕ࣜͭͰ΋͋Ε͹WBMJEѻ͍ 15 API Ϩϕϧ

͏ʔΜɾɾɾ w ͦͷΞϓϦͷ։ൃݩͬͯຊ౰ʹ෼͔Βͳ͍ͷ w 04͝ͱʹೝࣝͰ͖Δॺ໊ํ͕ࣜҧ͏ͳΒɺݹ͍୺຤͸੬ऑͳͷͰ͸ w ϩʔςʔγϣϯޙͷ伴Λೝࣝ͢Δ͚ͩ͡Όͪΐͬͱෆ଍ͯ͠ͳ͍

ॺ໊ݕূͱ࿈ಈ͢ΔՁ஋ͷྫ w Πϯετʔϧݩ FH(PPHMF1MBZ ʹΑΔΞϓϦ഑৴ऀͷ਎ݩอূ w 1MBZ"QQ4JHOJOHʹΑΔ伴ͷ؅ཧ w ࠷ऴॺ໊ʹؔΘΔൿີ伴Λ։ൃऀ͕࣋ͭඞཁ͕ͳ͘ͳΔ w

ࣗ෼Ͱ΋ͬͱֶͼ͍ͨ w ࣮ߦதͷ୺຤Ͱ1BDLBHF.BOBHFS"1Λ࢖͏ w ͨͩ͠'JSF04͸Ұ෦"1͕ద੾ʹಈ࡞͠ͳ͍ w 04ʹ͋Δ4JHOBUVSFؔ܎ͷΫϥε͸ษڧ޲͖Ͱ͸ͳ͍ w FHTDIFNFWFSTJPO΍MJOFBHF͕OPOQVCMJD"1* w

😇 19

·ͱΊ w "QQMJDBUJPO4JHOJOH͸ϑΝΠϧͷ*OUFHSJUZΛอূ͢Δ w ͦͷੑ࣭Λར༻ͨ͠ػೳ͕͍ͭ͘΋ఏڙ͞Ε͍ͯΔ w ৴པੑ޲্΍։ൃऀ΁ͷརศੑͷͨΊɺ৭ʑͳվળ͕Ճ͑ΒΕ͖ͯͨ w WWW ௒͑ΒΕͳ͍น

3FGFSFODFT w IUUQTFOHJOFFSJOHMJOFDPSQDPNKBCMPHBJSHPBQLTJHOJOH w IUUQTTPVSDFBOESPJEDPNEPDTTFDVSJUZGFBUVSFTBQLTJHOJOH w IUUQTTVQQPSUHPPHMFDPNHPPHMFQMBZBOESPJEEFWFMPQFSBOTXFS IMFO 21