15

I'm not familiar with the idea of signing files, and I can't find a satisfactory answer so far, so I think I'd better ask:

What I want to know is when signing a binary file (for Android), does the signing tool assign some sort of checksum to the file so that when a hacker changed something in the apk file, the program would refuse to start because the checksum doesn't match. Does this mechanism exist in Android's signing tool?

Well, I understand when a hacker has the binary, he can disable anything he wants, including the checksum check. But the question is: Does Android's signing tool provide this level or protection in the first place?

Thank you for reading, and answering!

nobody
  • 19,814
  • 17
  • 56
  • 77
wwyt
  • 2,701
  • 4
  • 32
  • 42

3 Answers3

9

The answers that say "no, they can't modify your apk" are only about halfway right: Yes, no one can modify your code and resign it with your key, meaning the malicious cracker can't make the modified app look like it actually came from you. But that doesn't mean they can't modify and run the APK after resigning it with a different key.

They could take your signed APK, modify its code, and resign it themselves with their own key; they couldn't issue that app as an update or anything like that, but the modified self-signed APK would normally be installable by any user, root or not.

EDIT: Worth crawling around xda-developers to see what people are doing in that respect (some semi-legitimate, like modifying and reissuing theme APKs; other much less so). Tools like android-apktool are particularly interesting.

Also see these SO questions:

Community
  • 1
  • 1
Yoni Samlan
  • 37,905
  • 5
  • 60
  • 62
  • Thank you very much! Yes, while I was reseraching on this topic, I saw an SO post that says his app was re-published on Android Market by some hacker under their own name!!! I guess this is exactly what you said here. (Many years ago I used to use this approach: After a build is made, I will add my own checksum to the binary file. And at run-time, the program does its own checking. But this doesn't work nowadays, because this would mean I'm tampering with a signed binary myself!) – wwyt Mar 23 '11 at 17:52
  • @wwyt you can try to check on the app *signature* at runtime, but a particularly enterprising hacker could just remove the checks if you don't do it right. Your best bet is something like the Android licensing service (http://developer.android.com/guide/publishing/licensing.html). – Yoni Samlan Mar 23 '11 at 19:46
  • @wwyt the Facebook single-sign-on SDK does something like this to ensure no malicious apps hijack their intent: https://github.com/facebook/facebook-android-sdk/blob/master/facebook/src/com/facebook/android/Facebook.java#L244-277 – Yoni Samlan Mar 23 '11 at 19:52
5

Android binary signing is accomplished using the Jarsigner tool, part of the standard Java SDK. Signing a jar with this tool simply adds two files; one that contains the hashed values for each file within the jar/application (the signature or .sf file), and one that verifies the signature file and identifies the signing certificate (DSA file).

So checking the signature would, yes, necessarily involve checking whether the hashes of the binary file match the provided value, which would detect any changes to the binary. And yes, the Android documentation says that the system will not install or run an application without a valid signature.

So yes, you can assume that signing your file properly will prevent it from running after being altered.

Jacob Mattison
  • 50,258
  • 9
  • 107
  • 126
0

Yes, the OS must check that the content of the binary actually matches up to the signature. It would be worthless otherwise - someone could just take a signature from a legitimate application and stick it on to any other binary.

nobody
  • 19,814
  • 17
  • 56
  • 77