An application security technique known as code signing is gaining importance as the Apple and Android mobile distribution centers require developers to provide the apps they write with a stamp of approval.
Code signing indicates that "you know where the code came from and it hasn't been corrupted," said August Detlefsen, a security consultant for AppSec Consulting, in San Jose CA.
"The purpose is to basically guarantee that when you get some code, you know who it's from," said Frank Kim, principal of security consultancy ThinkSec and curriculum lead for application security, SANS. "It's to give you some level of trust."
Mobile application distributors use code signatures to help prevent malicious code from being distributed among mobile devices. "Both iOS and Android enforce the fact that your code must be signed in order to distribute it through the App Store or Google Play Store, so in order to get your software out there, you must sign it so that at least the identity of the person who created the code is verified," Detlefsen said.
If an attacker were to obtain the private key, he could modify the code and sign it with the private key, leading people to believe that the code came from a trusted source.
Apple goes a step further and adds its signature to the applications distributed via its App Store. Before any code runs on an iOS device -- assuming it hasn't been jailbroken -- the device verifies the signatures. This helps ensure the code has not been modified.
Developers who submit code for distribution via Apple's App Store don't have to be concerned with the details of code signing. "When I register for the iOS development program, it's pretty straightforward," Kim said. "Apple makes the process as seamless as possible."
In other scenarios, the process of code signing is a bit more involved. "If you're developing other types of software, server-side apps, or those distributed to enterprise customers in a different way, then it's more cumbersome because the infrastructure is not there," Kim said.
Code is signed using public key cryptography. The process begins with the generation of a cryptographic hash. This is done by running the source code or compiled executable through a one-way function that calculates a checksum based on the bits in the code, Detlefsen explained. The resulting cryptographic hash is unique and non-reversible. The hash is sent through another cryptographic function along with a unique key known only to the user, resulting in a signature. It is a short alphanumeric string that is associated with the code. A public key, associated with the private key but freely sharable, can be used to verify the code is signed with the private key by running the signature and the corresponding public key though a signature verification function.
Public and private keys can be generated at no cost using one of the many key generator tools that can be found online, Detlefsen said. However, these keys do not offer verification that you are who you say you are. After all, Detlefsen pointed out, "Just because the code is signed doesn't mean that the [developer of that code] knows what they're doing."
An alternative is to purchase keys from a certificate authority, like VeriSign or DigiCert. These companies validate the identities of their customers. Information such as the signer's name and organization is included with the code signature, and can be verified with the certificate authority.
There are no risks involved with the code signing process itself. However, the private key must be kept private. If an attacker were to obtain the private key, he could modify the code and sign it with the private key, leading people to believe the code came from a trusted source when in fact it did not.
While developers benefit from signing their own code, they also benefit from the signatures on the code they use. "A lot of developers use third-party code and open source libraries. If you're building significant apps that require security, you should also check the authenticity of the code you're using," Detlefsen said. An attacker could insert malicious code into an open source library. "Code signing provides one way of knowing that the code you're downloading is verified to be the original and hasn't been tainted in some way," he said. "Before you run it, verify the signature."
But not all code is signed in the first place. "Code signing is becoming more well-known and practiced because these distribution centers are requiring it. But as far as code you download over the Internet, or let's say there's an applet in your website or a flash app on a website, you might not know where it came from or whether it was something the original developers put there," Detlefsen said.