Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Failure to verify a digital signature, whether manually or programmatically, can result in the execution of malicious code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC06-J

High

Probable

Medium

P12

L1

Automated Detection

Automated detection is not feasible in the fully general case. However, an approach similar to Design Fragments [Fairbanks 2007] could assist both programmers and static analysis tools.

ToolVersionCheckerDescription
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.IO.INJ.ANDROID.MESSAGE
JAVA.IO.TAINT.MESSAGE

Android Message Injection (Java)
Tainted Message (Java)

Related Guidelines

ISO/IEC TR 24772:2010

Improperly Verified Signature [XZR]

MITRE CWE

CWE-300, Channel Accessible by Non-endpoint (aka "Man-in-the-Middle")
CWE-319, Cleartext Transmission of Sensitive Information
CWE-347, Improper Verification of Cryptographic Signature
CWE-494, Download of Code without Integrity Check

Bibliography

...


...

Image Modified Image Modified Image Modified