Application signing

Application signing is one of the unique features of Android, which has led to its success due to its openness and its developer community. There are over a million apps in the Play Store. In Android, anyone can create an Android application by downloading the Android SDK, and then publish it on the Play Store. There are two types of certificate signing mechanisms in general. One is signed by a governing Certificate Authority(CA)and the other is a Self-signed certificate. There is no intermediate Certificate Authority (CA), whereas developers could create their own certificates and sign the application.

The CA signing is seen in the Apple's iOS application model, in which every application that a developer uploads to the App Store is verified and then signed by the Apple's Certificate. Once it is downloaded to a device, the device verifies whether the application is signed by the Apple's CA, and only then allows the application to run.

However, in Android it is the opposite. There is no Certificate Authority; instead the developer's self-created certificate could sign the applications. Once the application has been uploaded, it goes for verification to Google Bouncer, which is a virtual environment created to check whether an application is malicious or legitimate. Once the check is done, the app then appears in the Play Store. Google does no signing of the application in this case. Developers could create their own certificate using a tool that comes with the Android SDK called the keytool, or could use Eclipse's GUI for creation of the certificate.

So in Android, once a developer has signed an application with the certificate he has created, he needs to keep the key of the certificate in a secure place to prevent someone else to be able to steal his keys and sign other applications with the developer's certificate.

If we have an Android application (.apk) file, we could check the signature of the application and find out who signed the application using a tool known as jarsigner, which comes along with the Android SDK:

$ jarsigner -verify -certs -verbose testing.apk

The following is a screenshot of running the preceding command on the application, and getting the information about the signature:

Also, one could parse out the ASCII content of the CERT.RSA file present in the META-INF folder after unzipping the .apk file in order to get the signature, as shown in the following command:

$ unzip testing.apk
$ cd META-INF
$ openssl pkcs7 -in CERT.RSA -print_certs -inform DER -out out.cer
$ cat out.cer

This is very useful when it comes to detecting and analyzing an unknown Android .apk sample. Thus, using this we will have the information about who signed it, and other details.