-
Notifications
You must be signed in to change notification settings - Fork 0
Application Signing
All APKS must be digitally signed with a certificate to be installed. There are two schemes.
- All files signed with a common certificate
- Not all of the file is signed
- Lots of untrusted data structures must be processed and then discarded if not covered by signatures
- Larger attack surface
- Whole file is signed
- APK signing block is inserted into APK before the Zip Central Directory
Keytool is located in Android Studio/JRE/Bin
keytool -genkey -v keystore key.keystore -alias aliasname -keyalg RSA -keysize 2048 -validity 73000 -storepass password
- APKSigner included in Android SDK build-tools directory
- JarSigner in AndroidStudio/JRE/Bin
apksigner sign -out app.apk -ks keystore.jks unsigned.apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore keystore app.apk alias
https://developer.android.com/studio/command-line/zipalign
zipaligner within the build-tools directory of the Android SDK optimises APK files. You must use zipalign before signing the application with apksigner and after signing with jarsigner
zipalign -f -v 4 app.apk outapp.apk
Use apksigner to verify if an app has been signed and by which scheme:
apksinger verify --verbose app.apk