Android Application Security-signature mechanism

Pay attention to android Application Security and pay attention to the android signature mechanism. We usually use eclipse to directly sign and do not understand the signature process mechanism. Let's get to know about it today. Android signatures play an important role in android applications. For example, the Android system prohibits updates to APK with inconsistent signatures. If the application requires the system permission, ensure that the APK signature is consistent with the Framework signature, and so on. Android app signatures play a certain role in anti-tampering and piracy. Of course, it would be better to have authoritative authentication.

Android uses Keytool (used to generate digital certificates) and Jarsigner (used to sign digital certificates) to sign the apk package. For details about how to use them, refer to "signature of APK files in Android-keytool and jarsigner".

When decompilation is rampant and copyright is not protected, we can use signature comparison to ensure the security of Android APK software, identify the security of applications, and ensure that our applications are not tampered with or decompiled.

The following three methods can be used for signature comparison:

1. program self-detection. When the program is running, self-Signed comparison is performed. Comparison samples can be stored in the APK package or on the cloud. If it is placed in the apk package, native method is used to implement the program self-detection function; if it is placed on the cloud, the user name and signature can be used, ensure that the content transmitted by each user is inconsistent. Otherwise, the self-check mode is exposed when packets are captured.

2. Reliable third-party detection. Trusted Third-party programs are responsible for APK software security issues. Comparison samples are collected by a third party and placed on the cloud. This method is applicable to software download markets such as anti-virus security software or Google Play. The disadvantage is that it requires network connection detection and cannot implement functions without a network. IOS does not have to worry about this. appstore can ensure application security. android does not have a unified application market and there is no reliable third-party software. This is a weakness.

3. Limited system installation. This involves modifying the Android system. Only APK with certain certificates can be installed. The software publisher must apply for a certificate from the system release. If problems are found, the responsibility of the software publisher can be tracked. Applicable to system providers or end product manufacturers. The disadvantage is that it is too closed, which is not conducive to the openness of the system.

Android Application Security is a complex issue. during development, secure communication protocols should be developed, anti-decompilation should be prevented when APK is published, decompress and re-compile, and crack the SDK, each step should be taken in a small and subtle manner during development.

/**

* @ Author Zhang xingye * http://blog.csdn.net/xyz_lmn* IOS entry group: 83702688

* Android Development Group: 241395671

* My Sina Weibo:@ Zhang xingye tbow*/

Refer:

Android APK file signature-keytool and jarsigner

Android digital signature learning notes

Android APK signature mechanism