Android digital certificate specific application mechanism

As a popular open-source system, the Android mobile phone operating system plays an important role in the mobile phone field. In the Android system, all applications installed on the system must have an Android digital certificate used to identify the author of the application and establish a trust relationship between the application, if the protectionLevel of a permission is signature, only applications with the same digital certificate as the program where the permission is located can obtain this permission.

• In-depth analysis of the Android File System
• Android phone Functions
• Android sharing feature source code
• Android Core Module Content Overview
• Android Browser

Android uses the digital certificate mechanism of Java to add a digital certificate to apk. To understand Android digital certificate, you must first understand the concept of the digital certificate and the digital certificate mechanism of java.

Basic concept: digital certificate:

Digital verification is a digital method to identify a user. A digital certificate contains two parts of data: one is the information of the subject unit or individual, and the other is the public key of the subject. That is, the digital certificate stores the one-to-one correspondence between the subject and its public key for self-authentication to prove its identity to other users ).

Java digital certificate tool.

Keytool.exe in Java can be used to create a digital certificate. All digital certificates are stored in the certificate library in the form of one (alias difference). A certificate in the certificate library contains the private key of the certificate, public Key and the corresponding digital certificate information. A certificate file in the certificate library can be exported. The certificate file only contains the subject information and the corresponding public key.

Each certificate library is a file consisting of an access password. When it is created for the first time, it automatically generates a certificate library and requires that the password for accessing the certificate library be specified.

When creating a certificate, you must enter the certificate information and the private key and password corresponding to the certificate. These information includes CN = xx, OU = xx, O = xx, L = xx, ST = xx, C = xx, which means:

CN (Common Name and surname)

OU (Organization Unit name)

O (Organization name)

L (Locality city or region name)

ST (Name of the State or Province)

C (Country name)

You can use interactive tools to prompt you to enter the above information, or you can use parameters

-Dname "CN = xx, OU = xx, O = xx, L = xx, ST = xx, C = xx" is automatically created.

For example, this command:

Keytool-genkey-alias testCA-keyalg RSA-keysize 1024-keystore testCALib-validity 3650

Create a digital certificate named testCA in the digital certificate library testCALib, Which is encrypted using the RSA algorithm and valid for 3650 days.

After the certificate is generated, we can use the name to export the digital certificate as a file.

Keytool-export-alias testCA-file testCA. cer-keystore testALib-rfc

For other keytool usage, You can query the help documentation of keytool.

After the digital certificate is generated, we need to use the generated digital certificate to sign the package. This is to use the jarsigner tool. For example, if we have a androidprogram package calendar.apk, we can use the generated testCA to sign the modified package.

Jarsigner-keystore testCALib calendar.apk testCA.

Android digital certificate Overview:

Android requires that every application installed in the system be signed by a digital certificate, and the private key of the digital certificate is stored in the hands of the program developer. Android uses a digital certificate to identify the author of an application and establish a trust relationship between the application, instead of deciding which applications the end user can install. This digital certificate does not need to be authenticated by an authoritative Digital Certificate Signing Authority. It is only used to authenticate the application package.

The Android digital certificate contains the following key points:

(1) All applications must have digital certificates. Android does not install an application without digital certificates.

(2) the digital certificate used by the Android package can be self-Signed and does not require signature authentication by an authoritative Digital Certificate Authority.

(3) To officially release an Android app, you must use a digital certificate generated by a suitable private key to sign the app, rather than using the debugging certificate generated by the adt plug-in or ant tool for release.

(4) digital certificates are valid. Android only checks the validity period of the certificate when the application is installed. If the program has been installed in the system, the normal functions of the program will not be affected even if the certificate expires.

(5) Android uses the standard java tool Keytool and Jarsigner to generate a digital certificate and sign the application package.

The Android system does not install and run any unsigned apk program, whether on a simulator or on a physical device. Android development tools (ADT plug-in and Ant) can help developers sign the apk program. They both have two modes: debug mode and release mode ).

In the debugging mode, the android development tool uses the digital certificate used for debugging to sign the program at each compilation. Developers do not need to worry about it.

To publish a program, developers need to use their own digital certificates to sign the apk package. There are two methods.

(1) Use JDK and Keytool (used to generate digital certificates) and Jarsigner (used to sign digital certificates) in the command line to sign the apk package

(2) Use ADT Export Wizard for signature (if there is no digital certificate, you may need to generate a digital certificate)

Signature policy:

Multiple programs of the same developer should use the same digital certificate as much as possible, which can bring the following benefits.

(1) It is conducive to program upgrade. When the digital certificates of the New and Old programs are the same, the Android system considers the two programs as different versions of the same program. If the digital certificates of the New and Old programs are different, the Android system considers them different programs and conflicts with each other, and requires the new program to change the package name.

(2) facilitates modular design and development of programs. The Android system allows a program with the same digital signature to run in a process. The Android program regards them as the same program. Therefore, developers can develop their programs into modules, and users only need to download the appropriate modules as needed.

(3) data and code can be shared among multiple programs through permission. Android provides a digital certificate-based permission granting mechanism. Applications can share functions or data with other programs to those programs that have the same digital certificate as themselves. If the protectionLevel of a permission (permission) is signature, this permission can only be granted to programs with the same digital certificate as the package where the permission is located.

Another consideration is the validity period of the Android digital certificate:

(1) The validity period of the digital certificate must include the expected life cycle of the program. Once the digital certificate expires, the program holding the certificate cannot be upgraded normally.

(2) If multiple programs use the same digital certificate, the validity period of the digital certificate should include the estimated life cycle of all programs.

(3) Android Market requires that the digital certificates of all applications be valid until January 1, October 22, 2033.