Home | History | Annotate | Download | only in apksigning 
      1 page.title=Application Signing
      2 @jd:body
      3 
      4 <!--
      5     Copyright 2016 The Android Open Source Project
      6 
      7     Licensed under the Apache License, Version 2.0 (the "License");
      8     you may not use this file except in compliance with the License.
      9     You may obtain a copy of the License at
     10 
     11         http://www.apache.org/licenses/LICENSE-2.0
     12 
     13     Unless required by applicable law or agreed to in writing, software
     14     distributed under the License is distributed on an "AS IS" BASIS,
     15     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     16     See the License for the specific language governing permissions and
     17     limitations under the License.
     18 -->
     19 <div id="qv-wrapper">
     20   <div id="qv">
     21     <h2>In this document</h2>
     22     <ol id="auto-toc">
     23    </ol>
     24   </div>
     25 </div>
     26 
     27 <p>
     28 Application signing allows developers to identify the author of the application
     29 and to update their application without creating complicated interfaces and
     30 permissions. Every application that is run on the Android platform must be <a
     31 href="https://developer.android.com/studio/publish/app-signing.html">signed by
     32 the developer</a>. Applications that attempt to install without being signed
     33 will be rejected by either Google Play or the package installer on the Android
     34 device.
     35 </p>
     36 <p>
     37 On Google Play, application signing bridges the trust Google has with the
     38 developer and the trust the developer has with their application. Developers
     39 know their application is provided, unmodified, to the Android device; and
     40 developers can be held accountable for behavior of their application.
     41 </p>
     42 <p>
     43 On Android, application signing is the first step to placing an application in
     44 its Application Sandbox. The signed application certificate defines which user
     45 ID is associated with which application; different applications run under
     46 different user IDs. Application signing ensures that one application cannot
     47 access any other application except through well-defined IPC.
     48 </p>
     49 <p>
     50 When an application (APK file) is installed onto an Android device, the Package
     51 Manager verifies that the APK has been properly signed with the certificate
     52 included in that APK. If the certificate (or, more accurately, the public key in
     53 the certificate) matches the key used to sign any other APK on the device, the
     54 new APK has the option to specify in the manifest that it will share a UID with
     55 the other similarly-signed APKs.
     56 </p>
     57 <p>
     58 Applications can be signed by a third-party (OEM, operator, alternative market)
     59 or self-signed. Android provides code signing using self-signed certificates
     60 that developers can generate without external assistance or permission.
     61 Applications do not have to be signed by a central authority. Android currently
     62 does not perform CA verification for application certificates.
     63 </p>
     64 <p>
     65 Applications are also able to declare security permissions at the Signature
     66 protection level, restricting access only to applications signed with the same
     67 key while maintaining distinct UIDs and Application Sandboxes. A closer
     68 relationship with a shared Application Sandbox is allowed via the <a
     69 href="https://developer.android.com/guide/topics/manifest/manifest-element.html#uid">shared
     70 UID feature</a> where two or more applications signed with same developer key
     71 can declare a shared UID in their manifest.
     72 </p>
     73 <h2>APK signing schemes</h2>
     74 <p>
     75 Android supports two application signing schemes, one based on JAR signing (v1
     76 scheme) and <a href="v2.html">APK Signature Scheme v2 (v2 scheme)</a>, which
     77 was introduced in Android Nougat (Android 7.0).
     78 </p>
     79 <p>
     80 For maximum compatibility, applications should be signed both with v1 and v2
     81 schemes. Android Nougat and newer devices install apps signed with v2 scheme
     82 more quickly than those signed only with v1 scheme. Older Android platforms
     83 ignore v2 signatures and thus need apps to contain v1 signatures.
     84 </p>
     85 <h3 id="v1">JAR signing (v1 scheme)</h3>
     86 <p>
     87 APK signing has been a part of Android from the beginning. It is based on <a
     88 href="https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File">
     89 signed JAR</a>. For details on using this scheme, see the Android Studio documentation on
     90 <a href="https://developer.android.com/studio/publish/app-signing.html">Signing
     91 your app</a>.
     92 </p>
     93 <p>
     94 v1 signatures do not protect some parts of the APK, such as ZIP metadata. The
     95 APK verifier needs to process lots of untrusted (not yet verified) data
     96 structures and then discard data not covered by the signatures. This offers a
     97 sizeable attack surface. Moreover, the APK verifier must uncompress all
     98 compressed entries, consuming more time and memory. To address these issues,
     99 Android 7.0 introduced APK Signature Scheme v2.
    100 </p>
    101 <h3 id="v2">APK Signature Scheme v2 (v2 scheme)</h3>
    102 <p>
    103 Android 7.0 introduces APK signature scheme v2 (v2 scheme). The contents of the
    104 APK are hashed and signed, then the resulting APK Signing Block is inserted
    105 into the APK. For details on applying the v2 scheme to an application, refer to
    106 <a href="https://developer.android.com/preview/api-overview.html#apk_signature_v2">APK
    107 Signature Scheme v2</a> in the Android N Developer Preview.
    108 </p>
    109 <p>
    110 During validation, v2 scheme treats the APK file as a blob and performs signature
    111 checking across the entire file. Any modification to the APK, including ZIP metadata
    112 modifications, invalidates the APK signature. This form of APK verification is
    113 substantially faster and enables detection of more classes of unauthorized
    114 modifications.
    115 </p>
    116 <p>
    117 The new format is backwards compatible, so APKs signed with the new signature
    118 format can be installed on older Android devices (which simply ignore the extra
    119 data added to the APK), as long as these APKs are also v1-signed.
    120 </p>
    121 <p>
    122   <img src="../images/apk-validation-process.png" alt="APK signature verification process" id="figure1" />
    123 </p>
    124 <p class="img-caption"><strong>Figure 1.</strong> APK signature verification
    125 process (new steps in red)</p>
    126 
    127 <p>
    128 Whole-file hash of the APK is verified against the v2 signature stored in the
    129 APK Signing Block. The hash covers everything except the APK Signing Block,
    130 which contains the v2 signature. Any modification to the APK outside of the APK
    131 Signing Block invalidates the APK's v2 signature. APKs with stripped v2
    132 signature are rejected as well, because their v1 signature specifies that the
    133 APK was v2-signed, which makes Android Nougat and newer refuse to verify APKs
    134 using their v1 signatures.
    135 </p>
    136 
    137 <p>For details on the APK signature verification process, see the <a href="v2.html#verification">
    138 Verification section</a> of APK Signature Scheme v2.</p>
    139