Application Signed with Debug Certificate

XMLWordPrintable

    • Type: Bug
    • Resolution: Done
    • Priority: Highest
    • 2.8
    • Affects Version/s: None
    • FLW Sprint 36, FLW Sprint 37, FLW Sprint 38, FLW Sprint 39
    • FLW Mobile App
    • UAT

      The application binary is currently signed using a debug certificate instead of the required release/production certificate. This can cause installation issues, prevent store submission, reduce security, and potentially expose sensitive app signing information.

      Vulnerability Name Vulnerable URL CVE/CWE CVSS Score Overall Risk
      (Severity)      		 Observation / Description Impact Recommendation Reference Steps to reproduce
      Android Application Application Signed with Debug Certificate CWE-295 7.5 High The application is signed with a debug certificate rather than a release certificate. Debug certificates are intended for development and testing purposes and should never be used for production releases. This presents a significant security risk, as debug-signed applications lack critical security features and may be more vulnerable to various attacks, including tampering, reverse engineering, and unauthorized modifications. Security Risks: Debug-signed applications lack the security features of release-signed certificates, making them vulnerable to tampering, reverse engineering, and unauthorized modifications.
      Data Integrity: Use of a debug certificate may compromise the integrity of the application's data, as it may not provide the same level of data protection as a release certificate.
      Interoperability Issues: Some platforms or services may reject or restrict applications signed with debug certificates, leading to compatibility issues or limitations in functionality.
      Trust Issues: Users may lose trust in the application if they discover it is signed with a debug certificate, as it implies a lack of professionalism and adherence to security best practices.      		 Resign with Release Certificate: Rebuild and sign the application with a release certificate issued by a trusted certificate authority before deployment to production environments.
      Resign the application with a release certificate issued by a trusted certificate authority and ensure secure key management practices are followed.      		 https://cwe.mitre.org/data/definitions/295.html Step 1: During security assessment, we decompiled the APK using Jadx-gui to reveal that it was signed with a debug certificate instead of a release certificate.

              Assignee:
              Deep Shikha
              Reporter:
              Shashank Kharkwal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: