The APK is not digitally signed.
Mischief users into installing an APK that is not owned by the original author.
Digitally sign the APK.
Non-authenticated attacker from the Internet.
⌚ 60 minutes.
Default score using CVSS 3.1. It may change depending on the context of the src.
Default score using CVSS 4.0. It may change depending on the context of the src.
Correctly configure the signing keys before building the apk
android {
signingConfigs {
getByName("config") {
keyAlias = keystoreProperties["keyAlias"]
keyPassword = keystoreProperties["keyPassword"]
storeFile = file(keystoreProperties["storeFile"])
storePassword = keystoreProperties["storePassword"]
}
}
...
}
Unconfigured signing keys for the apk
android {
signingConfigs {
getByName("config") {
empty
}
}
...
}