🐛 [BUG] - The fact that BlissOS OFFICIAL build's platform key is public should be documented

[bk138]

Description

While doing work for a customer I stumbled upon the fact that the official builds available for download at https://blissos.org are built with a publicly available platform key:

• https://github.com/BlissRoms-x86/platform_build/raw/arcadia-x86/target/product/security/platform.pk8
• https://raw.githubusercontent.com/BlissRoms-x86/platform_build/arcadia-x86/target/product/security/platform.x509.pem

This poses a significant security risk for users of the official builds as any adversary can simply sign their app with the platform key and gain elevated permissions for their app.

While it may not be feasible for you guys to keep secret keys for every build, this should at least be documented in the Download and/or Licensing section at https://blissos.org.

Reproduction steps

1. Download and install BlissOS v15.9 OFFICIAL.
2. Download https://github.com/BlissRoms-x86/platform_build/raw/arcadia-x86/target/product/security/platform.pk8 and https://raw.githubusercontent.com/BlissRoms-x86/platform_build/arcadia-x86/target/product/security/platform.x509.pem
3. `apksigner sign --key platform.pk8 --cert platform.x509.pem malicious.apk`
4. `adb install malicious.apk`
5. Watch it 💣

Screenshots

No response

Logs

No response

Category

Other

OS Version

15.x

[hmtheboy154]

That just default AOSP key

[bk138]

That just default AOSP key

Yes. I'm suggesting that this should be documented for downloaders/users of the official images as they're probably not aware of what this means and implies.