user3254515 user3254515 - 25 days ago 7
Android Question

Signed apk android. What does Android use the signature for?

Starting with Android I have seen that it is necessary to sign the apk. But thinking about what a digital signature is and for what it serves (guaranteeing authenticity and integrity of information) I've read that Android really does not make you sign the app to verify authenticity and integration, but because "Android uses that signature to identify the app that is making any type of request either to the system or to other applications".


  1. Is that so?

  2. I read that it is recommended that a developer sign their apps with the same signature The concept of digital signature is unique for each document, so how is it possible that different apps of a developer have the same signature?

  3. I think I read that by signing the apk, me and nobody else can modify this app. Is that so? How is this?



Thank you

Answer
  1. Both are correct. Signatures are indeed used to detect that the app you're installing has not been modified, but they can also be used to restrict access from other apps on your device. Say a company builds 2 apps, and they want to share data between them. They can use a signature-protected permission to ensure that your data can only be accessed by that company's apps.

  2. It's not the signature that's the same, but the private key used to generate that signature. The signature is unique for every build of your app, as you would expect. See https://developer.android.com/studio/publish/app-signing.html for more info.

  3. It's not that you cannot modify the app; it's that Android will not allow you to upgrade an app from version A to version B if the signatures of A and B were generated from different keys. If someone tampers with the app, the signature will be invalidated so they have to resign it with their own key. You should never give your key to untrusted people, since that would allow them to modify and resign your apps without changing the key.

Of course, signatures don't protect you from malicious modified APKs unless you already have an authentic version of the app installed that Android can compare the new version with. This is why you should refrain from installing APK files from unknown sources.