Good idea. While my pile of Android apps is aging, it's still ~1M apps. And yes, I'm seeing a good number of private keys already...
-
-
Would you mind making a PR on https://github.com/BenBE/kompromat ? TIA. Anonymous submissions accepted too ;-)
2 replies 0 retweets 1 like -
Replying to @BenBE1987 @hanno and
I've got 175 APKs with non-bouncycastle-sample private key files in them. Will have to sift through them to determine best plan of action.
1 reply 2 retweets 2 likes -
Replying to @wdormann @BenBE1987 and
so you should definitely check them against CT. check spki hash via crt.sh, if you need help ping me.
1 reply 0 retweets 1 like -
Replying to @hanno @BenBE1987 and
I'll need an OpenSSL (or other?) cmdline to get the spki hash from a private key. My google-fu is failing me.
1 reply 0 retweets 0 likes -
Replying to @wdormann @BenBE1987 and
openssl pkey -in keyfile -pubout -outform der|sha256sum
2 replies 0 retweets 2 likes -
Replying to @hanno @BenBE1987 and
None of the 53 uniques are in crt.sh. Pass-protected result in a prompt from openssl, so I don't think this cmd works for them. Alternative?
2 replies 0 retweets 0 likes -
Replying to @wdormann @BenBE1987 and
if they're password protected you may wanna do strings and try to bruteforce the password with it
3 replies 0 retweets 0 likes -
Replying to @hanno @BenBE1987 and
I may look at a few. Is the presence of a private key in an app always a bad idea? Or just if it's used elsewhere important?
2 replies 0 retweets 0 likes -
Replying to @wdormann @BenBE1987 and
well, it's not a private key any more if it's in an app. I can't think of a situation where that makes sense, except for testing code.
1 reply 1 retweet 2 likes
My thoughts exactly. Just wanted to make sure I wasn't overlooking something obvious.
-
-
Replying to @wdormann @BenBE1987 and
also remember all the superfishes, privdogs and edell's, that's often a (bad) reason to bundle private keys
0 replies 1 retweet 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.