help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fitbit simulator not signed?

ANSWERED

‎05-21-2018 10:19

‎05-21-2018 10:19

Hi,

Today when I launched the simulator it prompted to be updated to 0.5.8, I let it install the update and noticed that the application was removed by my AV software because it claimed it had found "Atc4.Detection" in the Fitbit simulator files.

 

This surprised me but I'm not just going to assume software is virus free so I started a full scan and downloaded a new installer from the Fitbit website over SSL. I then tried to verify the signature using signtool.exe but I received the error: "SignTool Error: No signature found.".

 

Which leads me to the question, how can we verify that the .exe is valid and provided by Fitbit? Is the legit version signed? In that case it seems as if my connection is compromised, if not, and the official .exe isn't signed. How can I then verify the exe? Is there some hashes hosted securely somewhere I can compare against?

 

Thanks in advance. Looking forward to learning how to verify the Fitbit simulator installation integrity.

Best Answer
0 Votes
1 BEST ANSWER

Accepted Solutions

‎05-31-2018 10:10

In response to ILOABN

‎05-31-2018 10:10

We're already signed on Mac, but the next release will be signed on Windows too.

View best answer in original post

Best Answer
6 REPLIES 6

‎05-22-2018 20:12

‎05-22-2018 20:12

The easiest way is to check that you downloaded the file over HTTPS.

Like my response? Vote for it! Or accept as solution!
Best Answer
0 Votes

‎05-22-2018 22:26

In response to EmTe

‎05-22-2018 22:26

Hi EmTe,

Thanks for the reply.

From my point of view, HTTPS only protects the packages during transport and doesn't verify the content. To me that means that if any endpoint is compromised HTTPS would still happily send over the bits without any issues.

 

Let's assume for a moment that a web node at Fitbit was compromised, from an attackers point of view, replacing a commonly downloaded .exe is an excellent way of getting your own bits out on a lot of machines. Such an executable wouldn't probably be signed either.

 

I know this scenario isn't very likely, but it's still possible. And since my AV software marks the file as infected the burden lands upon me to give proof to IT that it is safe to execute. If the file would be signed or have a verifiable checksum, that would be easy and good enough proof.

 

I'd be happy to be proven wrong in any of my assumptions or if you have any alternative way of proving integrity/source.

 

Actually, given your suggestion, do you know an easy way to prove that a file was downloaded through HTTPS?

 

Thanks 😊

Best Answer
0 Votes

‎05-22-2018 22:48

In response to ILOABN

‎05-22-2018 22:48

@ILOABN wrote:

Actually, given your suggestion, do you know an easy way to prove that a file was downloaded through HTTPS?

The only way is to download it again to make sure.

 

In fact, I did exactly that at the start. When I first downloaded the simulator and double clicked on it I found that it wasn't signed and was suspicious. So I went to download it again and while it was downloading, I checked that the URL was over HTTPS.

 

But yes, it is not as resilient as being signed directly. For example, I won't be downloading it from another computer and copying it over to my computer using a USB drive because I don't know if the other computer has been compromised or not.

Like my response? Vote for it! Or accept as solution!
Best Answer
0 Votes

‎05-23-2018 03:43

In response to EmTe

‎05-23-2018 03:43

Not sure if looking at the URL is enough in my case. If I can't prove the executables validity. It becomes hard for me and IT to accept it.

Also, the latest version I see mentioned in release notes is 0.5.0, the one that I get using the normal URL is 0.5.8. That also increases my level of suspiciousness.

 

What I want to do is prove that the Fitbit installer is a false positive from my AV. To do that I need to prove that the installer is safe, a checksum or that it's signed would easily do that. That way I could report it to the AV to get them to remove the false positive.

 

It sounds like the installer isn't signed (would be nice with an official source on this) and if that's the case I'll just have to report the false positive to the AV and hope they can do something about it. It just would be a lot easier and faster if there was an official checksum or if it was signed.

Best Answer
0 Votes

‎05-31-2018 10:10

In response to ILOABN

‎05-31-2018 10:10

We're already signed on Mac, but the next release will be signed on Windows too.

Best Answer

‎06-01-2018 00:15

In response to LiamFitbit

‎06-01-2018 00:15

Thanks for that reply Liam! 😊

Couldn't get a more positive reply, I don't need to worry about my machine infected as much since the executable not being signed is the current state, and the next released version will be signed so it's obvious that fitbit cares.

 

Have a fantastic weekend!

Best Answer
0 Votes