1page.title=Application Signing 2@jd:body 3 4<!-- 5 Copyright 2016 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18--> 19<div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25</div> 26 27<p> 28Application signing allows developers to identify the author of the application 29and to update their application without creating complicated interfaces and 30permissions. Every application that is run on the Android platform must be <a 31href="https://developer.android.com/studio/publish/app-signing.html">signed by 32the developer</a>. Applications that attempt to install without being signed 33will be rejected by either Google Play or the package installer on the Android 34device. 35</p> 36<p> 37On Google Play, application signing bridges the trust Google has with the 38developer and the trust the developer has with their application. Developers 39know their application is provided, unmodified, to the Android device; and 40developers can be held accountable for behavior of their application. 41</p> 42<p> 43On Android, application signing is the first step to placing an application in 44its Application Sandbox. The signed application certificate defines which user 45ID is associated with which application; different applications run under 46different user IDs. Application signing ensures that one application cannot 47access any other application except through well-defined IPC. 48</p> 49<p> 50When an application (APK file) is installed onto an Android device, the Package 51Manager verifies that the APK has been properly signed with the certificate 52included in that APK. If the certificate (or, more accurately, the public key in 53the certificate) matches the key used to sign any other APK on the device, the 54new APK has the option to specify in the manifest that it will share a UID with 55the other similarly-signed APKs. 56</p> 57<p> 58Applications can be signed by a third-party (OEM, operator, alternative market) 59or self-signed. Android provides code signing using self-signed certificates 60that developers can generate without external assistance or permission. 61Applications do not have to be signed by a central authority. Android currently 62does not perform CA verification for application certificates. 63</p> 64<p> 65Applications are also able to declare security permissions at the Signature 66protection level, restricting access only to applications signed with the same 67key while maintaining distinct UIDs and Application Sandboxes. A closer 68relationship with a shared Application Sandbox is allowed via the <a 69href="https://developer.android.com/guide/topics/manifest/manifest-element.html#uid">shared 70UID feature</a> where two or more applications signed with same developer key 71can declare a shared UID in their manifest. 72</p> 73<h2>APK signing schemes</h2> 74<p> 75Android supports two application signing schemes, one based on JAR signing (v1 76scheme) and <a href="v2.html">APK Signature Scheme v2 (v2 scheme)</a>, which 77was introduced in Android Nougat (Android 7.0). 78</p> 79<p> 80For maximum compatibility, applications should be signed both with v1 and v2 81schemes. Android Nougat and newer devices install apps signed with v2 scheme 82more quickly than those signed only with v1 scheme. Older Android platforms 83ignore v2 signatures and thus need apps to contain v1 signatures. 84</p> 85<h3 id="v1">JAR signing (v1 scheme)</h3> 86<p> 87APK signing has been a part of Android from the beginning. It is based on <a 88href="https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File"> 89signed JAR</a>. For details on using this scheme, see the Android Studio documentation on 90<a href="https://developer.android.com/studio/publish/app-signing.html">Signing 91your app</a>. 92</p> 93<p> 94v1 signatures do not protect some parts of the APK, such as ZIP metadata. The 95APK verifier needs to process lots of untrusted (not yet verified) data 96structures and then discard data not covered by the signatures. This offers a 97sizeable attack surface. Moreover, the APK verifier must uncompress all 98compressed entries, consuming more time and memory. To address these issues, 99Android 7.0 introduced APK Signature Scheme v2. 100</p> 101<h3 id="v2">APK Signature Scheme v2 (v2 scheme)</h3> 102<p> 103Android 7.0 introduces APK signature scheme v2 (v2 scheme). The contents of the 104APK are hashed and signed, then the resulting APK Signing Block is inserted 105into the APK. For details on applying the v2 scheme to an application, refer to 106<a href="https://developer.android.com/preview/api-overview.html#apk_signature_v2">APK 107Signature Scheme v2</a> in the Android N Developer Preview. 108</p> 109<p> 110During validation, v2 scheme treats the APK file as a blob and performs signature 111checking across the entire file. Any modification to the APK, including ZIP metadata 112modifications, invalidates the APK signature. This form of APK verification is 113substantially faster and enables detection of more classes of unauthorized 114modifications. 115</p> 116<p> 117The new format is backwards compatible, so APKs signed with the new signature 118format can be installed on older Android devices (which simply ignore the extra 119data added to the APK), as long as these APKs are also v1-signed. 120</p> 121<p> 122 <img src="../images/apk-validation-process.png" alt="APK signature verification process" id="figure1" /> 123</p> 124<p class="img-caption"><strong>Figure 1.</strong> APK signature verification 125process (new steps in red)</p> 126 127<p> 128Whole-file hash of the APK is verified against the v2 signature stored in the 129APK Signing Block. The hash covers everything except the APK Signing Block, 130which contains the v2 signature. Any modification to the APK outside of the APK 131Signing Block invalidates the APK's v2 signature. APKs with stripped v2 132signature are rejected as well, because their v1 signature specifies that the 133APK was v2-signed, which makes Android Nougat and newer refuse to verify APKs 134using their v1 signatures. 135</p> 136 137<p>For details on the APK signature verification process, see the <a href="v2.html#verification"> 138Verification section</a> of APK Signature Scheme v2.</p> 139
