Android Anti-compilation (iii) re-signing

Android Anti-compilation (iii) re-signing

[Catalogue] 1, principle 2, tools and preparation work 3, Operation step 4, install X Skill 5, problem

1. Principle

1). Key to the APK signature

A. All applications must have a digital certificate, and the Android system will not install an application without a digital certificate;

B.the digital certificate used by the Android package can be self-signed and does not require an authoritative digital certificate Authority signature authentication;

C. digital certificates are valid, and Android only checks the validity of the certificate when the application is installed. If the program is already installed on the system, it does not affect the normal functionality of the program, even if the certificate expires.  

D.Android uses standard Java tools Keytool, Jarsigner to generate digital certificates, and to sign application packages.

2). Benefits of APK signature

A, application upgrade: If you want to upgrade the application, the signing certificate must be the same, the package name is the same!

B, application modularity:TheAndroid system can allow multiple applications with the same certificate signature to run in a thread, the system actually takes them as a single application, At this point, we can deploy our application in a modular way, and users can upgrade one of the modules independently.

C, code or data sharing: Android provides a signature-based permission mechanism, then an application can the other application that is signed with the same certificate exposes its own functionality. For multiple applications with the same certificate signatures, and with signature-based permission checks, you can share code and data in a secure way between applications.

3). APK re-signing principle

A,the Android system signature mainly has the ROM signature and the application APK signature two kinds of forms. The ROM signature is signed for an already generated Android system ROM package. App APK Signature is signed for developer-developed app apk.

B, A PK is actually a jar or a zip compressed file, the Meta-inf directory is stored in the compressed package of all the files in the signature information, to ensure the integrity of the APK package and system security.

C, re-signing: is actually to delete the Meta-inf directory (delete the existing signature), using the self-data certificate re-signed again.

Note: If the APK has signed self-calibration (code has a checksum) need to modify its code, not the content of today's article.

2, tools and preparation work

1). Tools

A. Digital certificate generation: Keytool

Java comes with tools such as: JDK1.7 Example: Path C:\Program Files\java\jdk1.7.0_55\bin\keytool.exe B. Re-signing: JarsignerJava comes with tools such as: JDK1.7 example : Path C:\Program files\java\jdk1.7.0_55\bin\jarsigner.exe C. Optimize apk:zipalign Android SDK Self-bring tool example: Path C:\Program F Iles\adt-bundle-windows-x86_64-20140321\sdk\tools\zipalign.exe

2). Preparatory work

A. Installing the JDK, configuring environment variables

B. Install the Android SDK, configure environment variables

3. Operation procedure

1), this machine KeyStore Digital Certificate

a, find ready-made keystore file

path   C:\Documents and Settings\ findyou

debug.keystore keystore Name: "Debug. KeyStore " keystore Password:" Android "key alias:" Androiddebugkey "Key password:" Android "CN:" Cn=android debug,o= Android,c=us "   

B,Keytool generate keystore digital certificate :

(1). [Execute the following command in CMD]

keytool   -genkey -v - KeyStore  debug.keystore  -alias  androiddebugkey   -keyalg  RSA  -validity  10000

/* Explanation: Keytool is the tool name,-genkey means to generate a digital certificate operation, and-V to print out the details of the generated certificate, displayed in a DOS window; -keystore Debug.keystore The file name that represents the generated digital certificate is "Debug.keystore"; -alias Androiddebugkey indicates that the certificate has an alias of "Androiddebugkey" and can be the same as KeyStore; -keyalg RSA indicates that the algorithm used to generate the key file is RSA , and-validity 10000 indicates that the digital certificate is valid for 10,000 days, meaning that the certificate will expire after 10,000 days

**/   

Execution Results Enter KeyStore password: Android

Enter the new password again: Android

What is your first and last name?
[Unknown]: Android Debug
What is the name of your organizational unit?
[Unknown]: Android
What is your organization's name?
[Unknown]: Android
What is the name of your city or region?
[Unknown]: ShenZhen
What is the name of your state/province?
[Unknown]: Guangdong
What is the two-letter country/region code for this unit? [Unknown]: CN
cn=android Debug, Ou=android, O=android, L=shenzhen, St=guangdong, c=cn correct?
[No]: Y
generating 2,048-bit RSA key pair and self-signed certificate (SHA256WITHRSA) for the following objects (valid for 10,00 0 days):
cn=android Debug, Ou=android, O=android, L=shenzhen, St=guangdong, C=CN
Enter the key password for <androiddebugkey>
(if the keystore password is the same, press ENTER): [Enter]
[Storing Debug.keystore]

(2). Debug.keystore generated in the directory of cmd execution commands

2), delete the original apk signature file

(1). thinkdrive.apk Rename to Thinkdrive.zip, unzip thinkdrive.zip file

(2). The names of the thinkdrive are named Thinkdrive_temp (3). Thinkdrive_temp folder, locate Meta-inf, delete Meta-inf (4). Will thinkdrive_temp the entire folder with the Zip tool, repackage it into a zip archive, and then change the suffix to apk   Note: A. Go to the Thinkdrive_sign folder to package files directly, not to thinkdrive_sign the entire folder packaging, otherwise it will produce a level two root directory) B. Note is zip compression, not RAR c. The jar can be used to unpack, compress the package unpacking: JAR-XVF thinkdrive.apk to apk file Compress package JAR-CVF. /thinkdrive.apk./-Into the folder packaging, will not produce a two-level root directory, APK generated on the previous layer, to prevent the dead loop  

3), apk re-signing

Jarsigner-verbose-keystoreDebug.keystore -storepassAndroid -keypassAndroid -signedjarthinkdrive_signed.apk thinkdrive_temp.apk Androiddebugkey

/* Explanation: Jarsigner is the signature tool for Java

-verbose parameter indication: Show signature details

-keystore represents the use of the Debug.keystore signing certificate file in the current directory.

-storepass Key Password

-signedjar thinkdrive_signed.apk represents the name of the APK generated after the signature,

THINKDRIVE_TEMP.APK represents an unsigned apk,

Androiddebugkey represents the alias of Debug.keystore

*/  

4), optimize APK  

zipalign-v 4 thinkdrive_signed.apk target.apk

Note:

The most fundamental purpose of zipalign optimization is to help the operating system more efficiently according to the request index resources, will resource-handling code unified data Structure alignment (data structure alignment standard: D SA) is limited to 4-byte boundaries.  

Summary: Through the above four steps, finally get the target.apk (the name itself can be generated in the fourth step from the modified) after the re-signed apk.  

4. Pack x Tips

Occasionally hand-knocking code does not matter, need to sign the apk a lot, then you waste. You would say that downloading the existing re-signed Jar on the web, ah, and so on, how boring, to own the whole batch processing.

1), Code:[Re-signing. bat] @ECHO OFF
REM Name of key
SETKeystore_name= Debug. keystore
REM Alias for Key
SETKeystore_alias=androiddebugkey
REM Key's password
SETKeystore_storepass=android
SETKeystore_keypass=android
REM temporary file name or temporary folder name
SETTemp_prefix=temp_
REM after re-signing apk filename prefix
SETRe-signed=re-signed_
for%%i In (*.apk) Do(
ECHO[Re-signing%%i]
ECHO[Create a folder with the same name as the APK]
REM Create a folder and delete it if it already exists
RD/s/q "%%i"
MD"%%i" \%temp_prefix%
REM Copy the apk file that needs to be re-signed into the Temp folder
COPY%%i "%%i" \%temp_prefix%
REM copy key to apk folder of the same name
COPY%keystore_name% "%%i"
REM Go to Temp folder
CD"%%i" \%temp_prefix%

REM Unzip apk file
JAR-XVF%%i
REM Delete the apk file copied to the Temp folder
DEL%%i
REM Delete Manifest
RD/s/q Meta-inf

REM re-compress into apk file
ECHO[Re-packaged as APK]
JAR-CVF. /%temp_prefix%%%i. /
CD..

ECHO[Jarsigner%%i]
REM to re-sign the APK package, JDK1.7 need to add parameters
Jarsigner-verbose-keystore%keystore_name%-storepass%keystore_storepass%%temp_prefix%%%i%KEYSTORE_ALIAS%- Keypass%keystore_keypass%

ECHO[Delete Jarsigner temp file]
RD/s/q%temp_prefix%
REM Delete duplicate Debug.keystore in folder with same name
DEL%keystore_name%

ECHO[Zipalign%%i]
REM use Android's Zipalign tool to optimize APK files
Zipalign-v 4%temp_prefix%%%i%re-signed%%%i
REM Check if the apk file is optimized
Zipalign-c-V 4%re-signed%%%i
ECHO[Delete zipalign temp file]
REM Delete the pre-optimized apk file, preserving the optimized apk
DEL%temp_prefix%%%i
CD..
ECHO[Re-signing complete]%re-signed%%%i
ECHO.
)
PAUSE
@ECHO on

2), how to use

(1). Copy the xxxx. KeyStore signature file to the directory where "re-signing. Bat" is located

(2). Copy the apk file that needs to be re-signed to the directory where the " re-signed. Bat" is located

(3). Double-click to run the "re-signed. bat" script

Note: If you need to re-sign multiple apk, you can copy all to in the directory where the " re-signed. bat" is located , Bat finds all of the APK in the current directory, all re-signed.

Execution result diagram:

  

5. Questions

1), re -signing installation failed (certificate issue)

Check: Whether JDK1.7, if JDK1.7 signature problem,Jarsigner need to add two parameters.

-digestalg Sha1-sigalg Md5withrsa

2), installation successful, failed to run

Check: A. First need to troubleshoot the issue of re-signing (re-check the installation again)

B. Re-check the reload still has a problem, check whether the program has self-signed check, if the signature check is more complex. Roughly explain the idea, the anti-compilation code for Java to find the signature check code, analysis logic, with Apktool decompile, modify the corresponding Smail code, and then repackage, signature.