APK Signature Check Bypass

0x01 Android Signature mechanism

Rename the apk to a zip file, and you can see a Meta-inf folder with three files, named MANIFEST.MF, CERT, respectively. SF and Cert.rsa, these are signature files that are generated using Signapk.jar.

1, MANIFEST. MF File:

The program iterates through all the files in the UPDATE.APK package (entry), generates SHA1 digital signature information for non-folder non-signed files, and then encodes it with Base64. Specific code See this method:

?

1	privatestaticManifest addDigestsToManifest(JarFile jar)

The key code is

?

12345678910111213141516

for (JarEntry entry: byName.values()) {     String name = entry.getName();     if (!entry.isDirectory() && !name.equals(JarFile.MANIFEST_NAME) &&         !name.equals(CERT_SF_NAME) && !name.equals(CERT_RSA_NAME) &&         (stripPattern == null ||!stripPattern.matcher(name).matches())){         InputStream data = jar.getInputStream(entry);         while ((num = data.read(buffer)) > 0) {         md.update(buffer, 0, num);       }       Attributes attr = null;       if (input != null) attr = input.getAttributes(name);       attr = attr != null ? new Attributes(attr) : new Attributes();       attr.putValue("SHA1-Digest", base64.encode(md.digest()));       output.getEntries().put(name, attr);    }}

The resulting signature is then written to the MANIFEST.MF file. The key code is as follows:

?

12345

Manifest manifest = addDigestsToManifest(inputJar);je = newJarEntry(JarFile.MANIFEST_NAME);je.setTime(timestamp);outputJar.putNextEntry(je);manifest.write(outputJar);

2. Generate CERT.SF File:

For the manifest generated in the previous step, use the SHA1-RSA algorithm to sign with the private key. The key code is as follows:

?

1234567

Signature signature = Signature.getInstance("SHA1withRSA");signature.initSign(privateKey);je = newJarEntry(CERT_SF_NAME);je.setTime(timestamp);outputJar.putNextEntry(je);writeSignatureFile(manifest,newSignatureOutputStream(outputJar, signature));

3. Generate Cert.rsa File:

The build MANIFEST.MF does not use key information, and the generated CERT.SF file uses the private key file. Then we can easily guess, CERT. The generation of RSA files is definitely related to the public key. CERT. The RSA file holds information such as the public key, the encryption algorithm used, and so on. The core code is as follows:

?

1234	je = newJarEntry(CERT_RSA_NAME);je.setTime(timestamp);outputJar.putNextEntry(je);writeSignatureBlock(signature, publicKey, outputJar);

To get the APK signature in the program, get it through the signature method, as follows:

?

123456

packageInfo = manager.getPackageInfo(pkgname,PackageManager.GET_SIGNATURES);signatures = packageInfo.signatures;for(Signature signature : signatures) {    builder.append(signature.toCharsString());}signature = builder.toString();

So the general procedure is to determine whether the APK has been repackaged by judging the value of the signature in the code.

0X02 Signature Bypass Mode

Before you can tell the way signatures are bypassed, you need to explicitly verify the Dex checksum signature:

1. The apk in the form of a compressed package to remove the original signature, and then sign, the installation can open normally, but with the IDE (that is, the apk changed the reason, will automatically decompile Dex) tool two times packaging, but there are abnormal situations, such as: Flash back/pop-up non-genuine prompt box. You can determine that the check for the Dex file

2, the apk in the form of compressed package open Delete the original signature and then open the exception after installation, the basic can be concluded that the signature test. If the same exception occurs in the case of a broken network, it is the local signature verification, if the first occurrence is that the network is not connected, it is the server-side signature check.

2.1.Java Layer Check

The methods for obtaining signature information and authentication are written on the Java layer of Android. Examples are as follows:

1, using Apkide anti-compilation apk, do not do anything, and then directly back to the compilation, after installation run, prompt as follows:

3, here is to obtain the signature, and then find the program to determine the signature of the place, to make changes, such as, If-nez is the place to judge, the NE modified to EQ. namely IF-EQZ v2,: Cond_0. The program can bypass the local signature transaction.

2.2.NDK Checksum

Put the key code in so to get the signature information and verify it at the bottom. Because the method of acquiring and validating is enclosed in a more secure so library, it can play a certain role in protection. Examples are as follows:

1, using Apkide anti-compilation apk, do not do anything, and then directly back to the compilation, after installation run, the program directly quit without any hint.

2. Search for signatures (or search for error) in Apkide, and navigate to the code where the signature is verified.

3. Open appactivity with Jd-gui, you can see, here is the name of the package, and then go to the row MD5 calculation.

4. Search for Getsignature in the program, and found that there is no tune? With this function of the ground, guess in the so file, search LoadLibrary.

5. In the code can be found, you can find the tune is libcocos2dcpp.so

6. Open libcocos2dcpp.so with Ida and search for Getsiganture to find the place where this function is used.

As you can see from the code, this function is tuned to use the Org.cocos2dx.cpp.AppActivity.getSignature

7, see the F5 code, found that this function is a function to determine the signature, and then we double-click the function of the tune, part of the code is as follows.

8, from can be seen, only need to modify beq loc_11f754, so that it does not jump to Jjni-->error, you can bypass the signature check. View hex, make 010editor jump to 0011f73e, modify D0 to D1. The signature checksum was successfully bypassed.

2.3. Server Authentication

At the Java layer of Android, the signature information is obtained, the upload server signs the service and returns the verification result.

For example, network authentication, if the network is not connected, will generally prompt the error.

Since is the network authentication, must send the authentication information to the service side, then carries on the verification, first sees a simple instance, next time will have the difficulty big.

1, mobile phone configuration to grab the bag, and then grab the bag. The first figure is the normal apk when the packet, the second figure is the anti-compilation APK packet, by contrast, found in the cookie Public_key is not the same, then we replace, we found that the function of the APK can be used normally.

2. Add the correct public_key to the APK. Open the anti-compilation code, search for signatures, and navigate to the signed code.

As you can see, the code passes the value of signatures to V4 and then passes it to the Utils->mpublickey function, so we pass the correct public_key to V4.

Then repack it and reinstall it.

0x03. Summary

Java layer of the check is easy to break out, in so layer implementation of the checksum analysis will be more difficult, and network authentication, if it is only a comparison of strings, then it is easy to hack out.

APK Signature Check Bypass