CN106656513A - Secondary packaging signature verification method for APK files on Android platform - Google Patents

Secondary packaging signature verification method for APK files on Android platform Download PDF

Info

Publication number
CN106656513A
CN106656513A CN201710101261.6A CN201710101261A CN106656513A CN 106656513 A CN106656513 A CN 106656513A CN 201710101261 A CN201710101261 A CN 201710101261A CN 106656513 A CN106656513 A CN 106656513A
Authority
CN
China
Prior art keywords
file
apk
digital signature
signature
embedded
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710101261.6A
Other languages
Chinese (zh)
Other versions
CN106656513B (en
Inventor
陈嘉祺
谢纯珀
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Morefun Electronic Technology Co Ltd
Original Assignee
Fujian Morefun Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Morefun Electronic Technology Co Ltd filed Critical Fujian Morefun Electronic Technology Co Ltd
Priority to CN201710101261.6A priority Critical patent/CN106656513B/en
Publication of CN106656513A publication Critical patent/CN106656513A/en
Application granted granted Critical
Publication of CN106656513B publication Critical patent/CN106656513B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a secondary packaging signature verification method for APK files on an Android platform. The method comprises the following steps: step 1, a signing tool signs the packaged original APK files by using a private key to generate the APK files embedded with digital signature files; step 2, a public key certificate is preset on a terminal device, and the APK files embedded with the digital signature files are downloaded to the terminal device; and step 3, the terminal device verifies the legality of the APK files embedded with the digital signature files by using the public key certificate. The secondary packaging signature verification method provided by the invention has the following advantages: the phenomenon that the applications are illegally cracked and malicious codes are embedded to the applications to cause repackaging can be effectively prevented; and the method is beneficial to ensure the security of various data such as the accounts, passwords and traffic of users.

Description

The secondary packing signature verification method of APK file on Android platform
Technical field
The present invention relates on a kind of Android platform APK file secondary packing signature verification method.
Background technology
Android is the operating system of a kind of freedom based on Linux and open source code, is mainly used in mobile device On, such as smart mobile phone, panel computer.In Android platform, the installation file of application (APP) is all with APK (Android Package) come what is preserved, APK file is inherently a zip compressed file to form, mainly include res/class/jar with And competence profile etc..There are a META-INFO catalogue in APK file simultaneously, the catalogue is mainly used in preserving APK The data message that file is generated when primary signature is carried out.
Generally, developer can be entered by Eclipse/Android Studio or Ant instruments etc. to APK Row signature, generates a primary signature file, and is saved in META-INFO catalogues.When APK file installation is carried out, The bottom of Android platform first can carry out signature verification and parsing to APK file, so as to the relevant information of the program of being applied, Then application program installed again.But, existing primary signature technology belongs to from signature scheme, and it is all in theory to close (i.e. all be allow mounted) of method, thus existing primary signature all cannot control APK installation.And some APP programs Be easy to it is pirate, once being cracked and be implanted into after malicious code repacks, no matter from performance, Consumer's Experience and in appearance, It is all the same with original APP, but its behind but may be silently runs fearful program, and these programs will May cause unconsciously wasting mobile phone electricity, flow, maliciously deduct fees, peep the behaviors such as privacy.
The content of the invention
The technical problem to be solved in the present invention, is that the secondary packing signature for providing APK file on a kind of Android platform is tested Card method, by the method come the installation of control APK file, can effectively prevent application program from illegally being cracked, and be implanted into evil The situation that meaning code is repacked occurs, it is advantageously ensured that the safety of the various data such as the account of user, password, flow.
What the present invention was realized in:The secondary packing signature verification method of APK file, methods described bag on Android platform Include following steps:
Step 1, signature instrument are signed using private key to the original APK file through packing, and generation is embedded with digital label The APK file of name file;
Step 2, on the terminal device pre-arranged public certificate, and would be embedded with the APK file of digital signature file and download to end In end equipment;
Step 3, terminal unit are embedded with the legitimacy of the APK file of digital signature file using public key certificate checking.
Further, the step 1 is specially:
A digital signature file is generated using private key by signature instrument, and the digital signature file is embedded into through beating In the catalogue of the original APK file of bag, generation is embedded with the APK file of digital signature file;
The digital signature file includes signing messages, self-defined information and file header;
The signing messages is made up of file class title, head point, signing messages main body and signed data, wherein, The signing messages main body starts including main part, structure version, signing certificate ID, Digital Signature Algorithm, the signature time And original document cryptographic Hash;
The file header is by file class title, head point, structure version, file body length, source file length, original APK file length and check value are constituted.
Further, the step 3 is specially:
Terminal unit install be embedded with the APK file of digital signature file when, first to being embedded with the APK of digital signature file Primary signature file in file is verified, after primary signature file is verified, then from being embedded with digital signature file APK file catalogue in extract digital signature file, reduce original APK file;
After the completion of digital signature file is extracted, legitimate verification is carried out to digital signature file using public key certificate, and If the verification passes, then allow that original APK file is installed on terminal unit;If checking does not pass through, do not allow original Beginning APK file is installed on terminal unit.
The invention has the advantages that:The method that secondary packing signature is carried out to original APK file is employed, and it is only logical Crossing the APK program files of signature verification just allows to be installed on terminal unit, and not by the APK program files of signature verification Cannot then install, can effectively prevent application program from illegally being cracked, and be implanted into the situation generation that malicious code is repacked, have Beneficial to the safety of the various data such as account, password, the flow for guaranteeing user.
Description of the drawings
With reference to the accompanying drawings in conjunction with the embodiments the present invention is further illustrated.
Fig. 1 is the execution FB(flow block) of the secondary packing signature verification method of APK file on Android platform of the present invention.
Fig. 2 is the schematic diagram that the present invention is signed to original APK file.
Fig. 3 is the flow chart of terminal unit checking signature in the present invention.
Specific embodiment
Refer to shown in Fig. 1 to Fig. 3, the secondary packing signature verification method of APK file, methods described bag on Android platform Include following steps:
Step 1, signature instrument are signed using private key to the original APK file through packing, and generation is embedded with digital label The APK file of name file;
Step 2, on the terminal device pre-arranged public certificate, the public key certificate is used to carry out signature secondary packing checking, It is embodied as, just public key certificate can be preset in terminal unit (such as android equipment) when terminal unit dispatches from the factory, and The APK file that would be embedded with digital signature file is downloaded on terminal unit;
Step 3, terminal unit are embedded with the legitimacy of the APK file of digital signature file using public key certificate checking.
From the foregoing, the present invention is employed in order to the APK program files installed on more preferable control terminal equipment The method that secondary packing signature is carried out to original APK file, when terminal unit is downloaded and to install APK program files, only Have just allows to be installed on terminal unit by the APK program files of signature verification, and not by the APK programs of signature verification File then cannot be installed, and can effectively prevent application program from illegally being cracked, and be implanted into the situation that malicious code is repacked It is raw, it is advantageously ensured that the safety of the various data such as the account of user, password, flow.
Wherein, the step 1 is specially:
Please emphasis with reference to shown in Fig. 2, generate a digital signature file (i.e. SIG signature texts using private key by signature instrument Part), digital signature uses X.509.V3 international standard signature form, and the certificate data of digital signature uses DER volumes Code form, and the digital signature file is embedded into into the catalogue (META- i.e. in APK file of the original APK file through packing INFO catalogues) in, generation is embedded with the APK file of digital signature file, is so achieved that and is retaining the primary signature mechanisms of APK On the basis of, the mechanism of secondary packing signature is added, and due to being under the inside META-INFO catalogues of original APK file Many SIG signature files, therefore the primary signature to Android platform (terminal unit) will not produce any impact. The digital signature file includes signing messages, self-defined information and file header;It is embedded with the APK file of digital signature file Particular content is as shown in table 1.
Table 1
The signing messages is made up of file class title, head point, signing messages main body and signed data, wherein, The signing messages main body starts including main part, structure version, signing certificate ID, Digital Signature Algorithm, the signature time And original document cryptographic Hash;The component content in the specifying information domain of signing messages is as shown in table 2.
Table 2
The file header is by file class title, head point, structure version, file body length, source file length, original APK file length and check value are constituted.The component content in the specifying information domain of file header is as shown in table 3.
Table 3
The step 3 is specially:
Please emphasis with reference to shown in Fig. 3, terminal unit install be embedded with the APK file of digital signature file when, first to embedding There is the primary signature file in the APK file of digital signature file to be verified, because primary signature belongs to from signature scheme, because This is all in theory legal, after primary signature file is verified, then from the APK file for being embedded with digital signature file Digital signature file is extracted in catalogue (i.e. META-INFO catalogues), original APK file is reduced;
After the completion of digital signature file is extracted, legitimate verification is carried out to digital signature file using public key certificate, When being embodied as, public key certificate can one by one be verified to the content of the signing messages main body in signing messages, and if checking Pass through, then allow that original APK file is installed on terminal unit;If checking does not pass through, do not allow original APK file It is installed on terminal unit.
Although the foregoing describing the specific embodiment of the present invention, those familiar with the art should manage Solution, the specific embodiment described by us is merely exemplary, rather than for the restriction to the scope of the present invention, is familiar with this The technical staff in field should be covered the present invention's in the equivalent modification and change made according to the spirit of the present invention In scope of the claimed protection.

Claims (3)

1. on a kind of Android platform APK file secondary packing signature verification method, it is characterised in that:Methods described includes as follows Step:
Step 1, signature instrument are signed using private key to the original APK file through packing, and generation is embedded with digital signature text The APK file of part;
Step 2, on the terminal device pre-arranged public certificate, and would be embedded with the APK file of digital signature file and download to terminal setting It is standby upper;
Step 3, terminal unit are embedded with the legitimacy of the APK file of digital signature file using public key certificate checking.
2. on Android platform according to claim 1 APK file secondary packing signature verification method, it is characterised in that: The step 1 is specially:
A digital signature file is generated using private key by signature instrument, and the digital signature file is embedded into through packing In the catalogue of original APK file, generation is embedded with the APK file of digital signature file;
The digital signature file includes signing messages, self-defined information and file header;
The signing messages is made up of file class title, head point, signing messages main body and signed data, wherein, it is described Signing messages main body starts including main part, structure version, signing certificate ID, Digital Signature Algorithm, the signature time and Original document cryptographic Hash;
The file header is literary by file class title, head point, structure version, file body length, source file length, original APK Part length and check value are constituted.
3. on Android platform according to claim 1 APK file secondary packing signature verification method, it is characterised in that: The step 3 is specially:
Terminal unit install be embedded with the APK file of digital signature file when, first to being embedded with the APK file of digital signature file In primary signature file verified, after primary signature file is verified, then from being embedded with the APK of digital signature file Digital signature file is extracted in the catalogue of file, original APK file is reduced;
After the completion of digital signature file is extracted, using public key certificate legitimate verification is carried out to digital signature file, and if It is verified, then allows that original APK file is installed on terminal unit;If checking does not pass through, do not allow original APK File is installed on terminal unit.
CN201710101261.6A 2017-02-24 2017-02-24 The secondary packing signature verification method of APK file on Android platform Active CN106656513B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710101261.6A CN106656513B (en) 2017-02-24 2017-02-24 The secondary packing signature verification method of APK file on Android platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710101261.6A CN106656513B (en) 2017-02-24 2017-02-24 The secondary packing signature verification method of APK file on Android platform

Publications (2)

Publication Number Publication Date
CN106656513A true CN106656513A (en) 2017-05-10
CN106656513B CN106656513B (en) 2019-09-13

Family

ID=58847831

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710101261.6A Active CN106656513B (en) 2017-02-24 2017-02-24 The secondary packing signature verification method of APK file on Android platform

Country Status (1)

Country Link
CN (1) CN106656513B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273742A (en) * 2017-06-09 2017-10-20 广州涉川科技有限公司 A kind of mandate installation method, barcode scanning payment terminal, server and the system of Android application
CN107301343A (en) * 2017-06-19 2017-10-27 大连中科创达软件有限公司 Secure data processing method, device and electronic equipment
CN107391166A (en) * 2017-06-05 2017-11-24 深圳市优***科技股份有限公司 The installation method and system of Android applications, computer installation and readable storage medium storing program for executing
CN107769924A (en) * 2017-09-11 2018-03-06 福建新大陆支付技术有限公司 Verify the method and system of POS APK signatures
CN111787529A (en) * 2020-07-17 2020-10-16 江苏海全科技有限公司 Signature method and system suitable for Android intelligent POS machine application
CN113221072A (en) * 2021-04-16 2021-08-06 江苏先安科技有限公司 Third party countersignature and verification method based on android system
CN113922966A (en) * 2021-10-09 2022-01-11 上海盛本智能科技股份有限公司 Secure application installation method based on encrypted storage hardware
US11750732B1 (en) 2023-02-20 2023-09-05 14788591 Canada Inc. System for introducing features to an in-vehicle infotainment system and method of use thereof

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905207A (en) * 2014-04-23 2014-07-02 福建联迪商用设备有限公司 Method and system for unifying APK signature
CN103944903A (en) * 2014-04-23 2014-07-23 福建联迪商用设备有限公司 Multi-party authorized APK signature method and system
US20140281495A1 (en) * 2013-03-18 2014-09-18 Samsung Electronics Co., Ltd. Method and apparatus for performing authentication between applications
CN104426658A (en) * 2013-09-02 2015-03-18 ***通信集团公司 Method and device for performing identity authentication on application on mobile terminal
US20150200784A1 (en) * 2014-01-13 2015-07-16 Samsung Electronics Co., Ltd. Device and method for re-signing application package, and terminal device for running application package
CN105391717A (en) * 2015-11-13 2016-03-09 福建联迪商用设备有限公司 APK signature authentication method and APK signature authentication system
CN105743910A (en) * 2016-03-30 2016-07-06 福建联迪商用设备有限公司 Method and system for installing programs through digital signatures
CN105787357A (en) * 2016-03-28 2016-07-20 福建联迪商用设备有限公司 APK (Android Package) downloading method and system based on Android system
CN106209379A (en) * 2016-07-04 2016-12-07 江苏先安科技有限公司 A kind of Android APK countersignature verification method
CN106355081A (en) * 2016-09-07 2017-01-25 深圳市新国都支付技术有限公司 Android program start verification method and device
CN106375095A (en) * 2016-09-02 2017-02-01 中科信息安全共性技术国家工程研究中心有限公司 Method of protecting integrity of APK
CN106372503A (en) * 2016-09-07 2017-02-01 深圳市新国都支付技术有限公司 Method and device for enhancing APK (Android Package) application permission configuration flexibility and system

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140281495A1 (en) * 2013-03-18 2014-09-18 Samsung Electronics Co., Ltd. Method and apparatus for performing authentication between applications
CN104426658A (en) * 2013-09-02 2015-03-18 ***通信集团公司 Method and device for performing identity authentication on application on mobile terminal
US20150200784A1 (en) * 2014-01-13 2015-07-16 Samsung Electronics Co., Ltd. Device and method for re-signing application package, and terminal device for running application package
CN103905207A (en) * 2014-04-23 2014-07-02 福建联迪商用设备有限公司 Method and system for unifying APK signature
CN103944903A (en) * 2014-04-23 2014-07-23 福建联迪商用设备有限公司 Multi-party authorized APK signature method and system
CN105391717A (en) * 2015-11-13 2016-03-09 福建联迪商用设备有限公司 APK signature authentication method and APK signature authentication system
CN105787357A (en) * 2016-03-28 2016-07-20 福建联迪商用设备有限公司 APK (Android Package) downloading method and system based on Android system
CN105743910A (en) * 2016-03-30 2016-07-06 福建联迪商用设备有限公司 Method and system for installing programs through digital signatures
CN106209379A (en) * 2016-07-04 2016-12-07 江苏先安科技有限公司 A kind of Android APK countersignature verification method
CN106375095A (en) * 2016-09-02 2017-02-01 中科信息安全共性技术国家工程研究中心有限公司 Method of protecting integrity of APK
CN106355081A (en) * 2016-09-07 2017-01-25 深圳市新国都支付技术有限公司 Android program start verification method and device
CN106372503A (en) * 2016-09-07 2017-02-01 深圳市新国都支付技术有限公司 Method and device for enhancing APK (Android Package) application permission configuration flexibility and system

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107391166A (en) * 2017-06-05 2017-11-24 深圳市优***科技股份有限公司 The installation method and system of Android applications, computer installation and readable storage medium storing program for executing
CN107391166B (en) * 2017-06-05 2022-01-25 深圳市优***科技股份有限公司 Android application installation method and system, computer device and readable storage medium
CN107273742A (en) * 2017-06-09 2017-10-20 广州涉川科技有限公司 A kind of mandate installation method, barcode scanning payment terminal, server and the system of Android application
CN107301343A (en) * 2017-06-19 2017-10-27 大连中科创达软件有限公司 Secure data processing method, device and electronic equipment
CN107769924A (en) * 2017-09-11 2018-03-06 福建新大陆支付技术有限公司 Verify the method and system of POS APK signatures
CN111787529A (en) * 2020-07-17 2020-10-16 江苏海全科技有限公司 Signature method and system suitable for Android intelligent POS machine application
CN113221072A (en) * 2021-04-16 2021-08-06 江苏先安科技有限公司 Third party countersignature and verification method based on android system
CN113922966A (en) * 2021-10-09 2022-01-11 上海盛本智能科技股份有限公司 Secure application installation method based on encrypted storage hardware
US11750732B1 (en) 2023-02-20 2023-09-05 14788591 Canada Inc. System for introducing features to an in-vehicle infotainment system and method of use thereof

Also Published As

Publication number Publication date
CN106656513B (en) 2019-09-13

Similar Documents

Publication Publication Date Title
CN106656513B (en) The secondary packing signature verification method of APK file on Android platform
CN106209379B (en) A kind of Android APK countersignature and verification method
CN107463806B (en) Signature and signature verification method for Android application program installation package
CN103167491B (en) A kind of mobile terminal uniqueness authentication method based on software digital certificate
CN109726588B (en) Privacy protection method and system based on information hiding
CN107743115B (en) Identity authentication method, device and system for terminal application
CN104680061A (en) Method and system for verifying code signing during startup of application in Android environment
WO2016019790A1 (en) Verification method, client, server and system for installation package
CN105099705B (en) A kind of safety communicating method and its system based on usb protocol
CN102946392A (en) URL (Uniform Resource Locator) data encrypted transmission method and system
KR102013983B1 (en) Method and server for authenticating an application integrity
CN106789075B (en) POS digital signature anti-cutting system
CN104426658A (en) Method and device for performing identity authentication on application on mobile terminal
CN107566413B (en) Smart card security authentication method and system based on data short message technology
CN106897761A (en) A kind of two-dimensional code generation method and device
CN110096849A (en) A kind of License authorization and authentication method, device, equipment and readable storage medium storing program for executing
CN110135149A (en) A kind of method and relevant apparatus of application installation
CN106709281B (en) Patch granting and acquisition methods, device
CN105721154A (en) Encryption protection method based on Android platform communication interface
US11444935B2 (en) Certificate-based client authentication and authorization for automated interface
CN111435389A (en) Power distribution terminal operation and maintenance tool safety protection system
EP3193262A1 (en) Database operation method and device
KR102519828B1 (en) Circuit chip and its operating method
KR100458515B1 (en) System and method that can facilitate secure installation of JAVA application for mobile client through wireless internet
KR20130100032A (en) Method for distributting smartphone application by using code-signing scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant