en/security/apksigning/index.html - platform/docs/source.android.com - Git at Google

 page.title=Application Signing
 @jd:body

 <!--
     Copyright 2016 The Android Open Source Project

     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
     You may obtain a copy of the License at

         http://www.apache.org/licenses/LICENSE-2.0

     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License.
 -->
 <div id="qv-wrapper">
   <div id="qv">
     <h2>In this document</h2>
     <ol id="auto-toc">
    </ol>
   </div>
 </div>

 <p>
 Application signing allows developers to identify the author of the application
 and to update their application without creating complicated interfaces and
 permissions. Every application that is run on the Android platform must be <a
 href="https://developer.android.com/studio/publish/app-signing.html">signed by
 the developer</a>. Applications that attempt to install without being signed
 will be rejected by either Google Play or the package installer on the Android
 device.
 </p>
 <p>
 On Google Play, application signing bridges the trust Google has with the
 developer and the trust the developer has with their application. Developers
 know their application is provided, unmodified, to the Android device; and
 developers can be held accountable for behavior of their application.
 </p>
 <p>
 On Android, application signing is the first step to placing an application in
 its Application Sandbox. The signed application certificate defines which user
 ID is associated with which application; different applications run under
 different user IDs. Application signing ensures that one application cannot
 access any other application except through well-defined IPC.
 </p>
 <p>
 When an application (APK file) is installed onto an Android device, the Package
 Manager verifies that the APK has been properly signed with the certificate
 included in that APK. If the certificate (or, more accurately, the public key in
 the certificate) matches the key used to sign any other APK on the device, the
 new APK has the option to specify in the manifest that it will share a UID with
 the other similarly-signed APKs.
 </p>
 <p>
 Applications can be signed by a third-party (OEM, operator, alternative market)
 or self-signed. Android provides code signing using self-signed certificates
 that developers can generate without external assistance or permission.
 Applications do not have to be signed by a central authority. Android currently
 does not perform CA verification for application certificates.
 </p>
 <p>
 Applications are also able to declare security permissions at the Signature
 protection level, restricting access only to applications signed with the same
 key while maintaining distinct UIDs and Application Sandboxes. A closer
 relationship with a shared Application Sandbox is allowed via the <a
 href="https://developer.android.com/guide/topics/manifest/manifest-element.html#uid">shared
 UID feature</a> where two or more applications signed with same developer key
 can declare a shared UID in their manifest.
 </p>
 <h2>APK signing schemes</h2>
 <p>
 Android supports two application signing schemes, one based on JAR signing (v1
 scheme) and <a href="v2.html">APK Signature Scheme v2 (v2 scheme)</a>, which
 was introduced in Android Nougat (Android 7.0).
 </p>
 <p>
 For maximum compatibility, applications should be signed both with v1 and v2
 schemes. Android Nougat and newer devices install apps signed with v2 scheme
 more quickly than those signed only with v1 scheme. Older Android platforms
 ignore v2 signatures and thus need apps to contain v1 signatures.
 </p>
 <h3 id="v1">JAR signing (v1 scheme)</h3>
 <p>
 APK signing has been a part of Android from the beginning. It is based on <a
 href="https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File">
 signed JAR</a>. For details on using this scheme, see the Android Studio documentation on
 <a href="https://developer.android.com/studio/publish/app-signing.html">Signing
 your app</a>.
 </p>
 <p>
 v1 signatures do not protect some parts of the APK, such as ZIP metadata. The
 APK verifier needs to process lots of untrusted (not yet verified) data
 structures and then discard data not covered by the signatures. This offers a
 sizeable attack surface. Moreover, the APK verifier must uncompress all
 compressed entries, consuming more time and memory. To address these issues,
 Android 7.0 introduced APK Signature Scheme v2.
 </p>
 <h3 id="v2">APK Signature Scheme v2 (v2 scheme)</h3>
 <p>
 Android 7.0 introduces APK signature scheme v2 (v2 scheme). The contents of the
 APK are hashed and signed, then the resulting APK Signing Block is inserted
 into the APK. For details on applying the v2 scheme to an application, refer to
 <a href="https://developer.android.com/preview/api-overview.html#apk_signature_v2">APK
 Signature Scheme v2</a> in the Android N Developer Preview.
 </p>
 <p>
 During validation, v2 scheme treats the APK file as a blob and performs signature
 checking across the entire file. Any modification to the APK, including ZIP metadata
 modifications, invalidates the APK signature. This form of APK verification is
 substantially faster and enables detection of more classes of unauthorized
 modifications.
 </p>
 <p>
 The new format is backwards compatible, so APKs signed with the new signature
 format can be installed on older Android devices (which simply ignore the extra
 data added to the APK), as long as these APKs are also v1-signed.
 </p>
 <p>
   <img src="../images/apk-validation-process.png" alt="APK signature verification process" id="figure1" />
 </p>
 <p class="img-caption"><strong>Figure 1.</strong> APK signature verification
 process (new steps in red)</p>

 <p>
 Whole-file hash of the APK is verified against the v2 signature stored in the
 APK Signing Block. The hash covers everything except the APK Signing Block,
 which contains the v2 signature. Any modification to the APK outside of the APK
 Signing Block invalidates the APK's v2 signature. APKs with stripped v2
 signature are rejected as well, because their v1 signature specifies that the
 APK was v2-signed, which makes Android Nougat and newer refuse to verify APKs
 using their v1 signatures.
 </p>

 <p>For details on the APK signature verification process, see the <a href="v2.html#verification">
 Verification section</a> of APK Signature Scheme v2.</p>
	page.title=Application Signing
	@jd:body

	<!--
	Copyright 2016 The Android Open Source Project

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<div id="qv-wrapper">
	<div id="qv">
	<h2>In this document</h2>
	<ol id="auto-toc">
	</ol>
	</div>
	</div>

	<p>
	Application signing allows developers to identify the author of the application
	and to update their application without creating complicated interfaces and
	permissions. Every application that is run on the Android platform must be <a
	href="https://developer.android.com/studio/publish/app-signing.html">signed by
	the developer</a>. Applications that attempt to install without being signed
	will be rejected by either Google Play or the package installer on the Android
	device.
	</p>
	<p>
	On Google Play, application signing bridges the trust Google has with the
	developer and the trust the developer has with their application. Developers
	know their application is provided, unmodified, to the Android device; and
	developers can be held accountable for behavior of their application.
	</p>
	<p>
	On Android, application signing is the first step to placing an application in
	its Application Sandbox. The signed application certificate defines which user
	ID is associated with which application; different applications run under
	different user IDs. Application signing ensures that one application cannot
	access any other application except through well-defined IPC.
	</p>
	<p>
	When an application (APK file) is installed onto an Android device, the Package
	Manager verifies that the APK has been properly signed with the certificate
	included in that APK. If the certificate (or, more accurately, the public key in
	the certificate) matches the key used to sign any other APK on the device, the
	new APK has the option to specify in the manifest that it will share a UID with
	the other similarly-signed APKs.
	</p>
	<p>
	Applications can be signed by a third-party (OEM, operator, alternative market)
	or self-signed. Android provides code signing using self-signed certificates
	that developers can generate without external assistance or permission.
	Applications do not have to be signed by a central authority. Android currently
	does not perform CA verification for application certificates.
	</p>
	<p>
	Applications are also able to declare security permissions at the Signature
	protection level, restricting access only to applications signed with the same
	key while maintaining distinct UIDs and Application Sandboxes. A closer
	relationship with a shared Application Sandbox is allowed via the <a
	href="https://developer.android.com/guide/topics/manifest/manifest-element.html#uid">shared
	UID feature</a> where two or more applications signed with same developer key
	can declare a shared UID in their manifest.
	</p>
	<h2>APK signing schemes</h2>
	<p>
	Android supports two application signing schemes, one based on JAR signing (v1
	scheme) and <a href="v2.html">APK Signature Scheme v2 (v2 scheme)</a>, which
	was introduced in Android Nougat (Android 7.0).
	</p>
	<p>
	For maximum compatibility, applications should be signed both with v1 and v2
	schemes. Android Nougat and newer devices install apps signed with v2 scheme
	more quickly than those signed only with v1 scheme. Older Android platforms
	ignore v2 signatures and thus need apps to contain v1 signatures.
	</p>
	<h3 id="v1">JAR signing (v1 scheme)</h3>
	<p>
	APK signing has been a part of Android from the beginning. It is based on <a
	href="https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File">
	signed JAR</a>. For details on using this scheme, see the Android Studio documentation on
	<a href="https://developer.android.com/studio/publish/app-signing.html">Signing
	your app</a>.
	</p>
	<p>
	v1 signatures do not protect some parts of the APK, such as ZIP metadata. The
	APK verifier needs to process lots of untrusted (not yet verified) data
	structures and then discard data not covered by the signatures. This offers a
	sizeable attack surface. Moreover, the APK verifier must uncompress all
	compressed entries, consuming more time and memory. To address these issues,
	Android 7.0 introduced APK Signature Scheme v2.
	</p>
	<h3 id="v2">APK Signature Scheme v2 (v2 scheme)</h3>
	<p>
	Android 7.0 introduces APK signature scheme v2 (v2 scheme). The contents of the
	APK are hashed and signed, then the resulting APK Signing Block is inserted
	into the APK. For details on applying the v2 scheme to an application, refer to
	<a href="https://developer.android.com/preview/api-overview.html#apk_signature_v2">APK
	Signature Scheme v2</a> in the Android N Developer Preview.
	</p>
	<p>
	During validation, v2 scheme treats the APK file as a blob and performs signature
	checking across the entire file. Any modification to the APK, including ZIP metadata
	modifications, invalidates the APK signature. This form of APK verification is
	substantially faster and enables detection of more classes of unauthorized
	modifications.
	</p>
	<p>
	The new format is backwards compatible, so APKs signed with the new signature
	format can be installed on older Android devices (which simply ignore the extra
	data added to the APK), as long as these APKs are also v1-signed.
	</p>
	<p>
	<img src="../images/apk-validation-process.png" alt="APK signature verification process" id="figure1" />
	</p>
	<p class="img-caption"><strong>Figure 1.</strong> APK signature verification
	process (new steps in red)</p>

	<p>
	Whole-file hash of the APK is verified against the v2 signature stored in the
	APK Signing Block. The hash covers everything except the APK Signing Block,
	which contains the v2 signature. Any modification to the APK outside of the APK
	Signing Block invalidates the APK's v2 signature. APKs with stripped v2
	signature are rejected as well, because their v1 signature specifies that the
	APK was v2-signed, which makes Android Nougat and newer refuse to verify APKs
	using their v1 signatures.
	</p>

	<p>For details on the APK signature verification process, see the <a href="v2.html#verification">
	Verification section</a> of APK Signature Scheme v2.</p>