What's new in Android security N...
DroidCon London 2016 conference video
In Android Studio 2.2+ and gradle 2.2.0+ Google adds APK signature scheme v2 to combat unauthorized modifications to apk files. It improves apk’s verification speed and detects unauthorized changes.
DroidCon London 2016 conference video
In Android Studio 2.2+ and gradle 2.2.0+ Google adds APK signature scheme v2 to combat unauthorized modifications to apk files. It improves apk’s verification speed and detects unauthorized changes.
More info jira:
To enable add flag v2SigningEnabled true in build.gradle (Module: app)
android {
...
defaultConfig { ... }
signingConfigs {
release {
storeFile file("myreleasekey.keystore")
storePassword "password"
keyAlias "MyReleaseKey"
keyPassword "password"
v2SigningEnabled true
}
}
}
To verified that the apk is sign with scheme v2 you need an android device running "Android N". Use below command, if output is =1 it was sign with signature v1 and if output is =2 means it was sign with signature v2.
$ adb shell pm dump myPackageName | grep apkSigningVersion
Security feature it's only supported in Android N. Once Android N becomes popular it will be good to turn on the flag to enable signature scheme v2.
"Google signature PR commit":
(scrrenshot below)
Make signapk sign using APK Signature Scheme v2. APKs are now signed with the usual JAR signature scheme and then with the APK Signature Scheme v2. APK Signature Scheme v2 is a whole-file signature scheme which aims to protect every single bit of the APK as opposed to the JAR signature scheme which protects only the names and uncompressed contents of ZIP entries. The two main goals of APK Signature Scheme v2 are: 1. Detect any unauthorized modifications to the APK. This is achieved by making the signature cover every byte of the APK being signed. 2. Enable much faster signature and integrity verification. This is achieved by requiring only a minimal amount of APK parsing before the signature is verified, thus completely bypassing ZIP entry decompression and by making integrity verification parallelizable by employing a hash tree.
