Home | History | Annotate | Download | only in apksigning 
      1 <html devsite>
      2   <head>
      3     <title>Application Signing</title>
      4     <meta name="project_path" value="/_project.yaml" />
      5     <meta name="book_path" value="/_book.yaml" />
      6   </head>
      7   <body>
      8   <!--
      9       Copyright 2017 The Android Open Source Project
     10 
     11       Licensed under the Apache License, Version 2.0 (the "License");
     12       you may not use this file except in compliance with the License.
     13       You may obtain a copy of the License at
     14 
     15           http://www.apache.org/licenses/LICENSE-2.0
     16 
     17       Unless required by applicable law or agreed to in writing, software
     18       distributed under the License is distributed on an "AS IS" BASIS,
     19       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     20       See the License for the specific language governing permissions and
     21       limitations under the License.
     22   -->
     23 
     24 
     25 
     26 <p>
     27 Application signing allows developers to identify the author of the application
     28 and to update their application without creating complicated interfaces and
     29 permissions. Every application that is run on the Android platform must be <a
     30 href="https://developer.android.com/studio/publish/app-signing.html">signed by
     31 the developer</a>. Applications that attempt to install without being signed
     32 will be rejected by either Google Play or the package installer on the Android
     33 device.
     34 </p>
     35 <p>
     36 On Google Play, application signing bridges the trust Google has with the
     37 developer and the trust the developer has with their application. Developers
     38 know their application is provided, unmodified, to the Android device; and
     39 developers can be held accountable for behavior of their application.
     40 </p>
     41 <p>
     42 On Android, application signing is the first step to placing an application in
     43 its Application Sandbox. The signed application certificate defines which user
     44 ID is associated with which application; different applications run under
     45 different user IDs. Application signing ensures that one application cannot
     46 access any other application except through well-defined IPC.
     47 </p>
     48 <p>
     49 When an application (APK file) is installed onto an Android device, the Package
     50 Manager verifies that the APK has been properly signed with the certificate
     51 included in that APK. If the certificate (or, more accurately, the public key in
     52 the certificate) matches the key used to sign any other APK on the device, the
     53 new APK has the option to specify in the manifest that it will share a UID with
     54 the other similarly-signed APKs.
     55 </p>
     56 <p>
     57 Applications can be signed by a third-party (OEM, operator, alternative market)
     58 or self-signed. Android provides code signing using self-signed certificates
     59 that developers can generate without external assistance or permission.
     60 Applications do not have to be signed by a central authority. Android currently
     61 does not perform CA verification for application certificates.
     62 </p>
     63 <p>
     64 Applications are also able to declare security permissions at the Signature
     65 protection level, restricting access only to applications signed with the same
     66 key while maintaining distinct UIDs and Application Sandboxes. A closer
     67 relationship with a shared Application Sandbox is allowed via the <a
     68 href="https://developer.android.com/guide/topics/manifest/manifest-element.html#uid">shared
     69 UID feature</a> where two or more applications signed with same developer key
     70 can declare a shared UID in their manifest.
     71 </p>
     72 <h2>APK signing schemes</h2>
     73 <p>
     74 Android supports two application signing schemes, one based on JAR signing (v1
     75 scheme) and <a href="v2.html">APK Signature Scheme v2 (v2 scheme)</a>, which
     76 was introduced in Android Nougat (Android 7.0).
     77 </p>
     78 <p>
     79 For maximum compatibility, applications should be signed both with v1 and v2
     80 schemes. Android Nougat and newer devices install apps signed with v2 scheme
     81 more quickly than those signed only with v1 scheme. Older Android platforms
     82 ignore v2 signatures and thus need apps to contain v1 signatures.
     83 </p>
     84 <h3 id="v1">JAR signing (v1 scheme)</h3>
     85 <p>
     86 APK signing has been a part of Android from the beginning. It is based on <a
     87 href="https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File">
     88 signed JAR</a>. For details on using this scheme, see the Android Studio documentation on
     89 <a href="https://developer.android.com/studio/publish/app-signing.html">Signing
     90 your app</a>.
     91 </p>
     92 <p>
     93 v1 signatures do not protect some parts of the APK, such as ZIP metadata. The
     94 APK verifier needs to process lots of untrusted (not yet verified) data
     95 structures and then discard data not covered by the signatures. This offers a
     96 sizeable attack surface. Moreover, the APK verifier must uncompress all
     97 compressed entries, consuming more time and memory. To address these issues,
     98 Android 7.0 introduced APK Signature Scheme v2.
     99 </p>
    100 <h3 id="v2">APK Signature Scheme v2 (v2 scheme)</h3>
    101 <p>
    102 Android 7.0 introduces APK signature scheme v2 (v2 scheme). The contents of the
    103 APK are hashed and signed, then the resulting APK Signing Block is inserted
    104 into the APK. For details on applying the v2 scheme to an application, refer to
    105 <a href="https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2">APK
    106 Signature Scheme v2</a> in the Android N Developer Preview.
    107 </p>
    108 <p>
    109 During validation, v2 scheme treats the APK file as a blob and performs signature
    110 checking across the entire file. Any modification to the APK, including ZIP metadata
    111 modifications, invalidates the APK signature. This form of APK verification is
    112 substantially faster and enables detection of more classes of unauthorized
    113 modifications.
    114 </p>
    115 <p>
    116 The new format is backwards compatible, so APKs signed with the new signature
    117 format can be installed on older Android devices (which simply ignore the extra
    118 data added to the APK), as long as these APKs are also v1-signed.
    119 </p>
    120 <p>
    121   <img src="../images/apk-validation-process.png" alt="APK signature verification process" id="figure1" />
    122 </p>
    123 <p class="img-caption"><strong>Figure 1.</strong> APK signature verification
    124 process (new steps in red)</p>
    125 
    126 <p>
    127 Whole-file hash of the APK is verified against the v2 signature stored in the
    128 APK Signing Block. The hash covers everything except the APK Signing Block,
    129 which contains the v2 signature. Any modification to the APK outside of the APK
    130 Signing Block invalidates the APK's v2 signature. APKs with stripped v2
    131 signature are rejected as well, because their v1 signature specifies that the
    132 APK was v2-signed, which makes Android Nougat and newer refuse to verify APKs
    133 using their v1 signatures.
    134 </p>
    135 
    136 <p>For details on the APK signature verification process, see the <a href="v2.html#verification">
    137 Verification section</a> of APK Signature Scheme v2.</p>
    138 
    139   </body>
    140 </html>
    141