Android Application signing and signature verification

Application signing

Application Signing is the process through which an APK (Android Package) is signed with a private key that uniquely identifies the app's developer. This process ensures that the app comes from the claimed developer without being tampered with after it was signed. Here’s a detailed breakdown:

Generating a Keystore

• Developers create a keystore, a binary file that contains cryptographic keys. This keystore contains a private key that is used to sign the APK.
• The keystore is protected by a password, which should be kept secure to prevent unauthorized access.

Signing the APK

• During or after the build process, the APK is signed using the private key stored in the keystore.
• This process generates a digital signature by a hash function, creating a unique digest of the APK’s content.
• The digest is then encrypted with the developer’s private key, and the result is stored within the APK.

Certificate Inclusion

• The APK includes a certificate containing the public key corresponding to the private key used for signing.
• This certificate is used for verifying the digital signature during the installation process.

Why Application Signing is Important?

• Ensures Authenticity: Confirms the identity of the app’s developer.
• Protects Integrity: Ensures the app has not been tampered with since it was signed.
• Enables Secure Updates: Guarantees that updates come from the original developer, as updates must be signed with the same key.

Signature Verification

Signature Verification is the process by which the Android operating system checks the digital signature of an APK to ensure its integrity and authenticity before installation. Check out this post on Reddit on How can you easily verify an APK's signature / authenticity? and aftet his come back here to read how verification works:

Extracting the Certificate

When an APK is downloaded and installation is initiated, the device extracts the certificate containing the public key from the APK.

Decrypting the Signature

• The device uses the public key extracted from the certificate to decrypt the digital signature embedded in the APK.
• Decryption yields the original hash (digest) which was generated during the signing process.

Generating the Hash

Independently, the device generates its own hash of the APK’s contents. This is done using the same hash function used during the signing process.

Comparing Hashes

• The device compares the independently generated hash with the decrypted hash from the digital signature.
• Match: If the hashes match, the APK is verified as authentic and untampered, allowing installation to proceed.
• Mismatch: If the hashes do not match, it indicates that the APK may have been altered since it was signed, and the installation is blocked.

Why Signature Verification is Important?

• Validates Authenticity: Ensures the APK was signed by the stated developer.
• Maintains Integrity Confirms the APK has not been modified since it was signed.
• Protects Users Blocks potentially malicious APKs from being installed.

Which One Signature Should I Choose if an app has Multiple Signatures?

Most apps have a single valid signature, but some can have more. You need to match the APK's signature with the one already installed on your device to avoid update errors.

Reasons for Multiple Signatures

• Key Rotation: Android 9 allows developers to switch signing keys. This is due to APK Signature Scheme v3.
• Distribution Channels: Apps from different sources (e.g., Play Store, Github) may have different signatures.
• System Apps: Signing keys for system apps can vary by device or OS version.
• Unexplained Cases: Some apps like Google's Files and Play services simply have multiple signatures.

How to Identify the Correct Signature:

1. AndroidFreeware has a sophisticated APK Checker which performs, Android permissions check, detects dangerous Flags & Filters, calculates md5, sha1, sha256 checksums, and perform VirusTotal antivirus checks.
2. Use tools like My APK to view app signatures.
3. Use the Trial and Error approach. Install different APKs until the update works, then remember the correct signature for future updates.
4. Upload the app to APKMirror using ML Manager to find the existing signature.
5. Some desktop tools can find the signature of apk file. Among them are apksigner by Google, the keytool by IBM, and print-apk-signature by Warren Bank.

---

Table of Contents

• Is AndroidFreeware safe?
• What is Android OS?
• What is Android App / Game?
• What is an APK File?
• Are APK files Safe and Legal?
• What are APK files, APK bundles, and how to safely open them?
• How to Download and Install APK files or APK Bundles?
• Android Application signing and signature verification
• Android Permissions: The Hidden Dangers and How to Protect Yourself
• Where APK files are stored on my Android device?
• What Are The Contents of An APK File?
• Can APK files run on Chromebooks, Windows 10, PC, iOS?
• Why an APK file is not Installed, Opening or Working?