Android Application Signing is the process that helps developers of the application to identify the legitimate author and hence update the APK. Applications that are attempted to be installed without being signed are either rejected by the package installer services such as Google Play, etc.Android application signing is the first step of placing an Android application in an android application sandbox. Different android applications have different User ID (UID). This prevents one application from gaining access to another application.When the Android application is installed in the android device, the package manager verifies the certificate if it is properly set or not. The certificate contains the public key used to match the key used to sign in any other APK.
Android applications can be self-signed or signed by a third party. Android application signing can be done by three methods JAR Signing, v2 Signature Scheme and v3 Signature Scheme.
JAR Signing (v1 Signature Scheme): -
It is based on signed JAR. It is not completely secure as they do not secure all of the Android APK such as zipped metadata. It offers a sizeable attack surface. The APK verifier must uncompress all compressed entries, consuming more time and memory.
To address these issues in Android 7.0, v2 Signature Scheme was introduced.
To address these issues in Android 7.0, v2 Signature Scheme was introduced.
APK Signature Scheme v2: -
Android v2 Signature Scheme provides more security features maintains integrity in application signing. It was introduced when Android 7.0 was launched.
In v2 Signature Scheme it considers the whole file as a single file, also known as Binary Large Object (BLOB) and if it finds any zipped metadata not getting matched, it is invalidates the signing. Due to these features it increases the installation time of the APK.
APK Signature Scheme v3: -
It is supported by Android 9. It enables the feature of Android Key Rotation, which gives the Android apps the ability to change their signing key as part of their update. V3 scheme also adds information about the SDK versions and a proof of rotation present in the signing block.
Study Material
Quiz