APatch has a privilege escalation vulnerability

### Please check before submitting an issue | 在提交 Issue 前请检查

- [x] I searched the issues and didn't found anything relevant | 我已经搜索了 Issues 列表，没有发现于本问题相关内容
- [x] If the patch fails or the image cannot be booted after flashing the new boot.img, visit KernelPatch to clarify your doubts | 修复失败或刷入修补后镜像不能启动，请前往 KernelPatch 提问
- [x] I will upload the bug report file in APatch Manager > Settings > Send logs | 我会上传 Bug Report 文件从 APatch 管理器 > 设置 > 发送日志
- [x] I know how to reproduce the issue, which might not be specific to my device | 我知道如何重新复现这个问题

### Version requirements | 版本要求

- [x] I'm using the latest CI version of APatch Manager | 我正在使用最新 CI 版本

### Bug description | 描述 Bug

APatch stores the encrypted SuperKey in the application's private data directory (config -> super_key_enc / super_key_iv),  
with the decryption key stored in the AndroidKeyStore under the alias "APatchSecurityKey".

The following issue exists:

An app with root access can impersonate APatch's UID to call keyStore.getKey("APatchSecurityKey", null) and retrieve the decryption key. By analyzing the source code, the encrypted ciphertext can be decrypted.

Impact of the vulnerability:

When a malicious app is granted root access, it can decrypt the SuperKey, escalate privileges to the kernel level, and potentially perform actions such as silently approving app permissions without user consent.

This vulnerability has been successfully reproduced on real devices equipped with a hardware security chip (TEE).

### Reproduce method | 复现方法

Using tools such as Frida to inject into the APatch process, then send requests to the AndroidKeyStore with its UID, and subsequently perform decryption according to the encryption method outlined in the source code.

[direct_decrypt.js.txt](https://github.com/user-attachments/files/25241030/direct_decrypt.js.txt)

### Expected behavior | 预期行为

The SuperKey should not be accessible to apps with root permissions

### Actual behavior | 实际行为

Malicious apps can illegally escalate privileges to the kernel level.

### Screenshots | 截图

_No response_

### Logs | 日志

_No response_

### Device name | 设备名称

CD_WATCH

### OS version | 系统版本

android 9 sdk28

### APatch version | APatch 版本

11142

### Kernel version | 内核版本

4.14.98

### KernelPatch version | KernelPatch 版本

0.12.2

### Other information | 其他信息

无

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

APatch has a privilege escalation vulnerability #1392

Please check before submitting an issue | 在提交 Issue 前请检查

Version requirements | 版本要求

Bug description | 描述 Bug

Reproduce method | 复现方法

Expected behavior | 预期行为

Actual behavior | 实际行为

Screenshots | 截图

Logs | 日志

Device name | 设备名称

OS version | 系统版本

APatch version | APatch 版本

Kernel version | 内核版本

KernelPatch version | KernelPatch 版本

Other information | 其他信息

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

APatch has a privilege escalation vulnerability #1392

Description

Please check before submitting an issue | 在提交 Issue 前请检查

Version requirements | 版本要求

Bug description | 描述 Bug

Reproduce method | 复现方法

Expected behavior | 预期行为

Actual behavior | 实际行为

Screenshots | 截图

Logs | 日志

Device name | 设备名称

OS version | 系统版本

APatch version | APatch 版本

Kernel version | 内核版本

KernelPatch version | KernelPatch 版本

Other information | 其他信息

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions