I've read PackageInfo.GET_SIGNATURES might be related to the FakeID vulnerability.
If I got it right, it doesn't return only valid certificates, so I can mess up the certificates and add invalid ones there that would break the chain of trust, and those certificates will be returned by GET_SIGNATURES. And on KitKat and below, Android implemented some certificates check wrong and didn't check all they should, so the chain could be broken, but all was still seen to be correct. Did I get it right?
If I did, I have a question.
- Since GET_SIGNATURES returns whatever certificates the app holds, whether it has proven it can hold them or not, how can I decently check if one of the certificates of an app is valid? This question holds for both KitKat and below, and for Lollipop and above (until Pie, where we can use GET_SIGNING_CERTIFICATES, which returns only valid ones and ends this).
- I thought about using PackageManager.checkSignatures(). But... Is it affected by the vulnerability below Pie? (includes KitKat and below, and Lollipop and above) Because I don't know how the packages are checked (abstract method). I guess from Lollipop onwards is ok because they fixed the thing? If that's correct, still, what about KitKat and below? Am I required to check the chain of trust myself in that case? (Or in any other case? Check anyways!?)
EDIT: checkSignatures() seems to check if all the signatures are equal in both packages. So that would go around the vulnerability. Then I change my question: to check if only one of the certificates returned by GET_SIGNATURES is valid, do I need to code by own chain of trust algorithm?