Android APK application signature mechanism and read Signature method _android

Source: Internet
Author: User
Tags decrypt reflection sha1

Friends who have posted Android apps should all know that the Android apk is a sign that needs to be signed. The signature mechanism plays a very important role in Android applications and frameworks. For example, the Android system prohibits updating the apk of inconsistent installation signatures, and if the application needs to use system permissions, you must ensure that the APK signature is consistent with the framework signature, and so on.

what is a signature
First we need to know what is abstract, summary refers to the use of one-way hash function of the data generated by the calculation of the fixed length of the hash value, the digest algorithm has MD5,SHA1, MD5 generated hash value is 128 digits, that is 16 bytes, in hexadecimal notation is 32 characters, The hash value generated by SHA1 is a 160-digit number, which is 20 bytes, and 40 characters in hexadecimal notation. We can't figure out the data used to compute the digest, and if we modify the data, it's going to change (it's not true, it's just hard to find different data, and they have exactly the same summary value). The summary is often used to verify the integrity of the data, and many download sites list the MD5 value or SHA1 value of the downloaded file.
The summary and the signature have nothing to do with it, it is wrong to confuse the summary with the signature on the Internet. Signature and digital signature is the same concept, refers to the sender of information with their own private key to message digest encryption generated a string, encryption algorithm to ensure that others can not forge this string, the digital string is also the sender of information to send information authenticity of an effective proof. Other senders use their private key to the same message digest encryption will get a different signature, the receiver only use the sender's signature with the private key corresponding to the public key to decrypt the signature data to get message digest, otherwise get not the correct message digest.
Digital signature is the combination of asymmetric key encryption technology and digital Digest technology.
The digital signature technique is to encrypt the information digest with the sender's private key and transmit it to the receiver together with the original and the public key. The receiver can decrypt the encrypted information digest only with the sender's public key, and then the receiver uses the same hash function to produce an information digest of the received text, which is compared with the decrypted information digest. If the same is true, the information received is complete, not modified during transmission, and the information is modified, so the digital signature guarantees the integrity of the information. And since only the sender has the private key of the cryptographic digest, we can determine that the message must be sent by the sender.
You also need to understand a concept: digital certificates. A digital certificate is a file that contains information about the public key and its owner that is digitally signed by the certificate authority. The format of digital certificates is commonly used X.509v3 international standards, a standard X.509 digital certificate contains the following: Certificate version information:
1 The serial number of the certificate, each certificate has a unique certificate serial number;
2 The signature algorithm used by the certificate;
3 The name of the issuing organization of the certificate, the naming rules generally adopt X.500 format;
4 The validity of the certificate, the General certificate is generally in UTC time format, its timing range is 1950-2049;
5 The name of the owner of the certificate, the naming rules generally adopted X.500 format;
6 Public key of the certificate owner;
7 The certificate issuer's signature to the certificate.
CERT. RSA includes digital signatures and digital certificates for developers. CERT. RSA digital signature refers to the cert.sf of the summary of the use of private key encrypted data, the Android system installed APK will be the CERT.SF calculation of the summary, and then use the public key Cert.rsa in the Cert.rsa to decrypt the digital signature of a summary, compare these two summaries can know whether the APK has a positive The exact signature also says that if the other person modifies the APK and does not re-sign it will be checked out.
Need to pay attention to the Android platform certificate is self-signed, also said that do not need authority to issue, digital certificate distribution agencies and all people are the same, are developers themselves, developers to generate public private key pairs do not need to submit to the authority to verify.

Read signature
some time need to obtain a specific APK (installed or not installed) signature information, such as program self-test, trusted Third-party Detection (Application market), System-limited installation
In this case, there are two ways to implement
You can use the Java self-contained APIs (primarily for jarfile,jarentry,certificate) to get it, and one way is to use a system-hidden API Packageparser to use the corresponding APIs through reflection.
However, due to the fragmented version of the Android system and the many modifications made by different vendors, the method of relying on the reflection-hiding API does not guarantee compatibility and versatility, so it is recommended to use Java's own API to obtain:

 
  /** * Read signatures from APK * @param file * @return * @throws ioexception/private static list<string > getsignaturesfromapk (File file) throws IOException {list<string> signatures=new arraylist<string> () 
    ; 
    Jarfile jarfile=new jarfile (file); 
      try {jarentry je=jarfile.getjarentry ("Androidmanifest.xml"); 
      Byte[] Readbuffer=new byte[8192]; 
      Certificate[] Certs=loadcertificates (Jarfile, je, readbuffer); 
          if (certs!= null) {for (certificate c:certs) {String sig=tocharsstring (c.getencoded ()); 
        Signatures.add (SIG); 
  The catch (Exception ex) {} return signatures; /** * Load Signature * @param jarfile * @param JE * @param readbuffer * @return/private static Ce Rtificate[] Loadcertificates (jarfile jarfile, Jarentry je, byte[] readbuffer) {try {InputStream is=jarfile.g 
      Etinputstream (JE); while (Is.read (readbuffer, 0, readbuffer.length)!=-1) {} is.close (); Return JE!= null? 
    Je.getcertificates (): null; 
  catch (IOException e) {} return null; /** * Convert signature to visible String * @param sigbytes * @return/private static string Tocharsstring (byte[) Sigby 
    TES) {byte[] sig=sigbytes; 
    final int n=sig.length; 
    Final int n2=n * 2; 
    Char[] Text=new char[n2]; 
      for (int j=0; J < N; J + +) {byte v=sig[j]; 
      int d= (v >> 4) & 0xf; Text[j * 2]= (char) (d >= 10?) 
      (' a ' + d-10): (' 0 ' + D)); 
      D=v & 0xf; TEXT[J * 2 + 1]= (char) (d >= 10?) 
    (' a ' + d-10): (' 0 ' + D)); 
  return new String (text); 
 }

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.