OiO.lk Blog security Where is the signature of a signed APK stored?
security

Where is the signature of a signed APK stored?

  • By admin
  • October 16, 2024
  • 0 Comments
  • 1 minute read
  • 7 Views
  • 6 days ago


I do research on methods to modify .apk in order to add some protection. I understand that all protection code can be removed, but at least it will temporarily protect against auto-patches, for example, patches for the ApkEditor or MT Manager apps.

One of the cases to modify is the PmsHookApplication class (example of detection), which becomes a proxy for the Application class to hook calls to PackageManager.getPackageInfo and returns the original signature. This works for older Android APIs. Since version 28+, the GET_SIGNATURES flag has been deprecated, so the old version of the hook does not work for the new GET_SIGNING_CERTIFICATES flag. Is there any successor to this method? I have not been able to find any new ways. If you know of any, please let me know. It would be helpful to know what "traces" are left after APK re-signing.

My question is connected with the PmsHookApplication patch. It gets the signature from the META-INF/.RSA file and returns it with the call to PackageManager.getPackageInfo. However, when I migrate the signing scheme from version 1 to 2, files like .RSA and .SF, do not appear in the META-INF folder of the apk archive.

signingConfigs {
    release {
        storeFile file('.jks')
        storePassword ''
        keyAlias ''
        keyPassword ''
        enableV1Signing false
        enableV2Signing true
        enableV3Signing true
     }
}

On the other hand the apksigner tool tells that the apk was signed successfully. In the scheme version 2, where is the new place to store the signature that can be read by hacker? Because he can do the same thing: hook and return original signature. Or has something changed and this method is no longer possible?

> apksigner verify --verbose app-name.apk

Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1



You need to sign in to view this answers

Leave a Comment

Related Post

GPL

Free GPL iPages WordPress Flipbook

October 22, 2024
javascript

Audio Not Playing in Mobile Chrome at 100% Volume,

October 22, 2024
security

What are best practices for multi-tenant database isolation?

October 22, 2024
SQL

Postgres Get Percentage of Two Counts

October 22, 2024
CSS

Using svg as a background image, need hover only

October 22, 2024
jQuery

How to change the title in window.showSaveFilePicker() function

October 22, 2024
Exit mobile version