PTKDMobile App Security
Knowledge base / PTKD-SIGN-V1
high M8 MASVS-RESILIENCE-3 static analysis PTKD-SIGN-V1

APK signed with the legacy v1 (JAR) scheme

An APK signed with ONLY the v1 (JAR) scheme is exploitable via Janus (CVE-2017-13156) on Android < 7.0, where attacker-prepended DEX runs while the signature still verifies. (v1 alongside v2/v3 is fine: v2 mitigates Janus on Android 7+ and v1 is required for older devices.)

How it's exploited

v1-only signing is vulnerable to Janus (CVE-2017-13156) on Android 5.0-8.0: an attacker prepends a DEX to your signed APK and it still verifies, so users "update" to a trojaned build that keeps your signature.

Why it matters

Attackers can ship malware that passes as your legitimately signed app on older devices.

How to fix it

  1. Sign releases with v2 and v3 schemes (v1 may remain for pre-7.0 installs; the modern schemes protect the whole file).
  2. In Gradle: enableV2Signing and enableV3Signing true (they are default on current AGP; check overrides).

References