Sign apk on Android

Question

Sign apk on Android

Navigation

#1 by (1 votes)

0

Starting with Android I have seen that it is necessary to sign the apk . But thinking about what a digital signature is and what it does (guarantee authenticity and integrity of information) I read that Android does not really make you sign the app to verify authenticity and integration, but rather that "Android uses that signature to identify the application that is making any kind of request either to the system or to other applications " link

Is that so?

I have read that it is recommended that a developer sign their apps with the same signature link The concept of digital signature is unique for each document, so how is it possible that different apps from a developer have the same signature?

I think I've read that when signing the apk, only I can decipher it or decompile it since I have the private key. Is that so?

android

asked by user3254515 13.11.2016 в 18:56

source

1 answer

Browse associative array and show through DOM Mount a local volume in a container using Dockerfile?

score 1 · Accepted Answer

The person who wrote the article you are referring to has some problems with the use of correct terminology, and ends up saying some nonsense. To clarify, there is the official documentation of the signature

Answering your questions:

Is that so?

No. The system uses the signature of the apk for what it is, determine the authenticity according to the digital signature it contains.

I have read that it is recommended that a developer sign their apps with the same signature

No, this would not be posilbe. It is recommended that a developer sign their apps with the same certificate. By signing them with the same certificate you can share functionality and data between them, things that are not possible for applications that are not signed with the same certificate.

I think I read that by signing the apk, only I can decipher or decompile it since I have the private key. Is that so?

No, any person with intermediate knowledge can obtain the .class from the dex and apply a decompiler to these. The digital signature is not intended or intended to make any kind of protection in this regard.

Having said all this, you do not need a certificate issued by a trusted authority to sign your applications, you can use a self-issued certificate. And the analysis of whether this suits you or not is beyond the scope of this response.