Android Studio warning when using PackageManager.GET_SIGNATURES

Question

I need to get the package signature, and I currently get it using this code:

Signature[] sigs = c.getPackageManager()
                        .getPackageInfo(c.ge         


        

Answer 1

Tracing the popup text leads to this source code fragment of Android Studio.
In the same file there is a line containing a link to the outern resource.
Further tracking leads to this presentation about the "Fake ID" vulnerability.

Description of a problem:

The problem is that when Android builds the chain-of-trust, the verification process only compares the ‘subject’ rather than comparing the actual key with the one provided within the details of the certificate’s signer. As a result, an attacker can tinker with the chain-of-trust and claim to be signed by a party – without the party actually signing.

Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.

Here is the commit to Android source code, that prevents using this vulnerability. That means if the device has Android 4.4 the problem is not happening. When running lower Android API devices, it might cause harm.