4

I made a mistake several years ago by uploading OpenSSL certificate key (.pem and .pk8) into a blog post. The key was used to sign Android apk using SignApk.jar tool. Someone took it and used the key to sign malware apps and the bad story was i put my email address when created that certificate. This raised issues because people accused me as the creator of those apps.

The question is, how can i recover this situation? some people suggest key revocation, but i don't quite understand it. As far as read from arround the net, the revocation needs to be uploaded to a CA, what CA?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Lorensius W. L. T
  • 143
  • 4
  • What CA has issued your original certificate? – ximaera Jan 17 '18 at 15:38
  • 1
    I think the options you have available depend on how the certificate was created. I assume this is a self-signed certificate you created through Android Studio's wizard? – Mike Ounsworth Jan 17 '18 at 15:46
  • @MikeOunsworth, yes self signed certificate. I used these commands to create certificate: – openssl genrsa -out key.pem 1024 – openssl req -new -key key.pem -out request.pem – openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem – openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt – Lorensius W. L. T Jan 17 '18 at 15:54
  • 1
    Right, so you're the CA in this setup. More specifically, your `openssl -signkey` is the CA. That doesn't really help. See my answer below. – Mike Ounsworth Jan 17 '18 at 16:09

1 Answers1

6

Certificates in general

Certificates are complicated, I don't blame you. By far, the most common use-case for certificates is for TLS websites where you need to submit a Certificate Signing Request (CSR) to a publicly-trusted CA in order to obtain a certificate that browsers will accept. In that case you revoke your certificate by contacting the CA who originally issued it. This does not apply to you.

Certificates in Android / Google Play

My understanding of the Android / Play Store code signing model is that you generate a private "app signing" key using the wizard in Android Studio. This key is then used by Android Studio to sign your APK files, and in order to upload your app to the Play Store, you need to also upload your public key and associate it with your Play Developer Account. From here there are two models: A) that key is publicly-visible an your Play Developer account and end-users's devices verify that the app has been signed by that key, or B) the key generated by Android Studio is used as the "upload key", and Google generates a second "signing key" in your cloud account to re-sign your APK with. Option B is probably more secure since compromise of your laptop does not mean compromise of the signing key (assuming malicious uploads to the Play Store can be rolled back).

Android code signing key lifecycle

In your case someone else has access to your private key, so they can write any software they want and publish it with a cryptographic signature linked to your Play Developer Account (bad news for you).

What to do?

It doesn't seem like Google has a model for "revoking" app signing keys, but you can remove a key from your Play Developer account if you contact support. Google has a help article Manage your app signing keys, and at the bottom is:

Lost or compromised private keys

If you're enrolled in Google Play App Signing, you can reset your upload key if:

  • You lost your private key, or
  • Your private key has been compromised

Note: Resetting your upload key will not affect the app signing key that Google Play uses to re-sign APKs before delivering to users.

Reset your upload key

  • Step 1: Generate a new private key and upload certificate

  • Step 2: Contact our support team

Since you need to contact the Google Support team anyway as part of this process, I would just contact them right away for advice.

Community
  • 1
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • thanks a lot for your explanation Mike. In my case, the key that i uploaded to a blog post was not used on any google play developer account. I used that key just for testing apk and also signed a beta apk that i uploaded to my blog. After i created a google play developer account, i used different key to sign that apk and put it on google play. The problem was the bad guy took that testing key from my blog and used it to sign malware apps. That testing key contains my identity (email and location) – Lorensius W. L. T Jan 17 '18 at 16:14
  • 1
    Hmm, ok. So no malicious apps have been uploaded to the Play Store with it? That's a less severe problem then. As I understand it then, this is a privacy issue of your email address and location leaking out. Unfortunately there may not be anything you can do since the internet doesn't forget :( – Mike Ounsworth Jan 17 '18 at 16:23
  • Currently those apps found outside google play. You're right Mike, internet doesn't forget :(...Thanks a lot for your answer and kindness – Lorensius W. L. T Jan 17 '18 at 16:31