CN106656513A - Secondary packaging signature verification method for APK files on Android platform - Google Patents
Secondary packaging signature verification method for APK files on Android platform Download PDFInfo
- Publication number
- CN106656513A CN106656513A CN201710101261.6A CN201710101261A CN106656513A CN 106656513 A CN106656513 A CN 106656513A CN 201710101261 A CN201710101261 A CN 201710101261A CN 106656513 A CN106656513 A CN 106656513A
- Authority
- CN
- China
- Prior art keywords
- file
- apk
- digital signature
- signature
- embedded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a secondary packaging signature verification method for APK files on an Android platform. The method comprises the following steps: step 1, a signing tool signs the packaged original APK files by using a private key to generate the APK files embedded with digital signature files; step 2, a public key certificate is preset on a terminal device, and the APK files embedded with the digital signature files are downloaded to the terminal device; and step 3, the terminal device verifies the legality of the APK files embedded with the digital signature files by using the public key certificate. The secondary packaging signature verification method provided by the invention has the following advantages: the phenomenon that the applications are illegally cracked and malicious codes are embedded to the applications to cause repackaging can be effectively prevented; and the method is beneficial to ensure the security of various data such as the accounts, passwords and traffic of users.
Description
Technical field
The present invention relates on a kind of Android platform APK file secondary packing signature verification method.
Background technology
Android is the operating system of a kind of freedom based on Linux and open source code, is mainly used in mobile device
On, such as smart mobile phone, panel computer.In Android platform, the installation file of application (APP) is all with APK (Android
Package) come what is preserved, APK file is inherently a zip compressed file to form, mainly include res/class/jar with
And competence profile etc..There are a META-INFO catalogue in APK file simultaneously, the catalogue is mainly used in preserving APK
The data message that file is generated when primary signature is carried out.
Generally, developer can be entered by Eclipse/Android Studio or Ant instruments etc. to APK
Row signature, generates a primary signature file, and is saved in META-INFO catalogues.When APK file installation is carried out,
The bottom of Android platform first can carry out signature verification and parsing to APK file, so as to the relevant information of the program of being applied,
Then application program installed again.But, existing primary signature technology belongs to from signature scheme, and it is all in theory to close
(i.e. all be allow mounted) of method, thus existing primary signature all cannot control APK installation.And some APP programs
Be easy to it is pirate, once being cracked and be implanted into after malicious code repacks, no matter from performance, Consumer's Experience and in appearance,
It is all the same with original APP, but its behind but may be silently runs fearful program, and these programs will
May cause unconsciously wasting mobile phone electricity, flow, maliciously deduct fees, peep the behaviors such as privacy.
The content of the invention
The technical problem to be solved in the present invention, is that the secondary packing signature for providing APK file on a kind of Android platform is tested
Card method, by the method come the installation of control APK file, can effectively prevent application program from illegally being cracked, and be implanted into evil
The situation that meaning code is repacked occurs, it is advantageously ensured that the safety of the various data such as the account of user, password, flow.
What the present invention was realized in:The secondary packing signature verification method of APK file, methods described bag on Android platform
Include following steps:
Step 1, signature instrument are signed using private key to the original APK file through packing, and generation is embedded with digital label
The APK file of name file;
Step 2, on the terminal device pre-arranged public certificate, and would be embedded with the APK file of digital signature file and download to end
In end equipment;
Step 3, terminal unit are embedded with the legitimacy of the APK file of digital signature file using public key certificate checking.
Further, the step 1 is specially:
A digital signature file is generated using private key by signature instrument, and the digital signature file is embedded into through beating
In the catalogue of the original APK file of bag, generation is embedded with the APK file of digital signature file;
The digital signature file includes signing messages, self-defined information and file header;
The signing messages is made up of file class title, head point, signing messages main body and signed data, wherein,
The signing messages main body starts including main part, structure version, signing certificate ID, Digital Signature Algorithm, the signature time
And original document cryptographic Hash;
The file header is by file class title, head point, structure version, file body length, source file length, original
APK file length and check value are constituted.
Further, the step 3 is specially:
Terminal unit install be embedded with the APK file of digital signature file when, first to being embedded with the APK of digital signature file
Primary signature file in file is verified, after primary signature file is verified, then from being embedded with digital signature file
APK file catalogue in extract digital signature file, reduce original APK file;
After the completion of digital signature file is extracted, legitimate verification is carried out to digital signature file using public key certificate, and
If the verification passes, then allow that original APK file is installed on terminal unit;If checking does not pass through, do not allow original
Beginning APK file is installed on terminal unit.
The invention has the advantages that:The method that secondary packing signature is carried out to original APK file is employed, and it is only logical
Crossing the APK program files of signature verification just allows to be installed on terminal unit, and not by the APK program files of signature verification
Cannot then install, can effectively prevent application program from illegally being cracked, and be implanted into the situation generation that malicious code is repacked, have
Beneficial to the safety of the various data such as account, password, the flow for guaranteeing user.
Description of the drawings
With reference to the accompanying drawings in conjunction with the embodiments the present invention is further illustrated.
Fig. 1 is the execution FB(flow block) of the secondary packing signature verification method of APK file on Android platform of the present invention.
Fig. 2 is the schematic diagram that the present invention is signed to original APK file.
Fig. 3 is the flow chart of terminal unit checking signature in the present invention.
Specific embodiment
Refer to shown in Fig. 1 to Fig. 3, the secondary packing signature verification method of APK file, methods described bag on Android platform
Include following steps:
Step 1, signature instrument are signed using private key to the original APK file through packing, and generation is embedded with digital label
The APK file of name file;
Step 2, on the terminal device pre-arranged public certificate, the public key certificate is used to carry out signature secondary packing checking,
It is embodied as, just public key certificate can be preset in terminal unit (such as android equipment) when terminal unit dispatches from the factory, and
The APK file that would be embedded with digital signature file is downloaded on terminal unit;
Step 3, terminal unit are embedded with the legitimacy of the APK file of digital signature file using public key certificate checking.
From the foregoing, the present invention is employed in order to the APK program files installed on more preferable control terminal equipment
The method that secondary packing signature is carried out to original APK file, when terminal unit is downloaded and to install APK program files, only
Have just allows to be installed on terminal unit by the APK program files of signature verification, and not by the APK programs of signature verification
File then cannot be installed, and can effectively prevent application program from illegally being cracked, and be implanted into the situation that malicious code is repacked
It is raw, it is advantageously ensured that the safety of the various data such as the account of user, password, flow.
Wherein, the step 1 is specially:
Please emphasis with reference to shown in Fig. 2, generate a digital signature file (i.e. SIG signature texts using private key by signature instrument
Part), digital signature uses X.509.V3 international standard signature form, and the certificate data of digital signature uses DER volumes
Code form, and the digital signature file is embedded into into the catalogue (META- i.e. in APK file of the original APK file through packing
INFO catalogues) in, generation is embedded with the APK file of digital signature file, is so achieved that and is retaining the primary signature mechanisms of APK
On the basis of, the mechanism of secondary packing signature is added, and due to being under the inside META-INFO catalogues of original APK file
Many SIG signature files, therefore the primary signature to Android platform (terminal unit) will not produce any impact.
The digital signature file includes signing messages, self-defined information and file header;It is embedded with the APK file of digital signature file
Particular content is as shown in table 1.
Table 1
The signing messages is made up of file class title, head point, signing messages main body and signed data, wherein,
The signing messages main body starts including main part, structure version, signing certificate ID, Digital Signature Algorithm, the signature time
And original document cryptographic Hash;The component content in the specifying information domain of signing messages is as shown in table 2.
Table 2
The file header is by file class title, head point, structure version, file body length, source file length, original
APK file length and check value are constituted.The component content in the specifying information domain of file header is as shown in table 3.
Table 3
The step 3 is specially:
Please emphasis with reference to shown in Fig. 3, terminal unit install be embedded with the APK file of digital signature file when, first to embedding
There is the primary signature file in the APK file of digital signature file to be verified, because primary signature belongs to from signature scheme, because
This is all in theory legal, after primary signature file is verified, then from the APK file for being embedded with digital signature file
Digital signature file is extracted in catalogue (i.e. META-INFO catalogues), original APK file is reduced;
After the completion of digital signature file is extracted, legitimate verification is carried out to digital signature file using public key certificate,
When being embodied as, public key certificate can one by one be verified to the content of the signing messages main body in signing messages, and if checking
Pass through, then allow that original APK file is installed on terminal unit;If checking does not pass through, do not allow original APK file
It is installed on terminal unit.
Although the foregoing describing the specific embodiment of the present invention, those familiar with the art should manage
Solution, the specific embodiment described by us is merely exemplary, rather than for the restriction to the scope of the present invention, is familiar with this
The technical staff in field should be covered the present invention's in the equivalent modification and change made according to the spirit of the present invention
In scope of the claimed protection.
Claims (3)
1. on a kind of Android platform APK file secondary packing signature verification method, it is characterised in that:Methods described includes as follows
Step:
Step 1, signature instrument are signed using private key to the original APK file through packing, and generation is embedded with digital signature text
The APK file of part;
Step 2, on the terminal device pre-arranged public certificate, and would be embedded with the APK file of digital signature file and download to terminal setting
It is standby upper;
Step 3, terminal unit are embedded with the legitimacy of the APK file of digital signature file using public key certificate checking.
2. on Android platform according to claim 1 APK file secondary packing signature verification method, it is characterised in that:
The step 1 is specially:
A digital signature file is generated using private key by signature instrument, and the digital signature file is embedded into through packing
In the catalogue of original APK file, generation is embedded with the APK file of digital signature file;
The digital signature file includes signing messages, self-defined information and file header;
The signing messages is made up of file class title, head point, signing messages main body and signed data, wherein, it is described
Signing messages main body starts including main part, structure version, signing certificate ID, Digital Signature Algorithm, the signature time and
Original document cryptographic Hash;
The file header is literary by file class title, head point, structure version, file body length, source file length, original APK
Part length and check value are constituted.
3. on Android platform according to claim 1 APK file secondary packing signature verification method, it is characterised in that:
The step 3 is specially:
Terminal unit install be embedded with the APK file of digital signature file when, first to being embedded with the APK file of digital signature file
In primary signature file verified, after primary signature file is verified, then from being embedded with the APK of digital signature file
Digital signature file is extracted in the catalogue of file, original APK file is reduced;
After the completion of digital signature file is extracted, using public key certificate legitimate verification is carried out to digital signature file, and if
It is verified, then allows that original APK file is installed on terminal unit;If checking does not pass through, do not allow original APK
File is installed on terminal unit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710101261.6A CN106656513B (en) | 2017-02-24 | 2017-02-24 | The secondary packing signature verification method of APK file on Android platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710101261.6A CN106656513B (en) | 2017-02-24 | 2017-02-24 | The secondary packing signature verification method of APK file on Android platform |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106656513A true CN106656513A (en) | 2017-05-10 |
CN106656513B CN106656513B (en) | 2019-09-13 |
Family
ID=58847831
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710101261.6A Active CN106656513B (en) | 2017-02-24 | 2017-02-24 | The secondary packing signature verification method of APK file on Android platform |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106656513B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107273742A (en) * | 2017-06-09 | 2017-10-20 | 广州涉川科技有限公司 | A kind of mandate installation method, barcode scanning payment terminal, server and the system of Android application |
CN107301343A (en) * | 2017-06-19 | 2017-10-27 | 大连中科创达软件有限公司 | Secure data processing method, device and electronic equipment |
CN107391166A (en) * | 2017-06-05 | 2017-11-24 | 深圳市优***科技股份有限公司 | The installation method and system of Android applications, computer installation and readable storage medium storing program for executing |
CN107769924A (en) * | 2017-09-11 | 2018-03-06 | 福建新大陆支付技术有限公司 | Verify the method and system of POS APK signatures |
CN111787529A (en) * | 2020-07-17 | 2020-10-16 | 江苏海全科技有限公司 | Signature method and system suitable for Android intelligent POS machine application |
CN113221072A (en) * | 2021-04-16 | 2021-08-06 | 江苏先安科技有限公司 | Third party countersignature and verification method based on android system |
CN113922966A (en) * | 2021-10-09 | 2022-01-11 | 上海盛本智能科技股份有限公司 | Secure application installation method based on encrypted storage hardware |
US11750732B1 (en) | 2023-02-20 | 2023-09-05 | 14788591 Canada Inc. | System for introducing features to an in-vehicle infotainment system and method of use thereof |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103905207A (en) * | 2014-04-23 | 2014-07-02 | 福建联迪商用设备有限公司 | Method and system for unifying APK signature |
CN103944903A (en) * | 2014-04-23 | 2014-07-23 | 福建联迪商用设备有限公司 | Multi-party authorized APK signature method and system |
US20140281495A1 (en) * | 2013-03-18 | 2014-09-18 | Samsung Electronics Co., Ltd. | Method and apparatus for performing authentication between applications |
CN104426658A (en) * | 2013-09-02 | 2015-03-18 | ***通信集团公司 | Method and device for performing identity authentication on application on mobile terminal |
US20150200784A1 (en) * | 2014-01-13 | 2015-07-16 | Samsung Electronics Co., Ltd. | Device and method for re-signing application package, and terminal device for running application package |
CN105391717A (en) * | 2015-11-13 | 2016-03-09 | 福建联迪商用设备有限公司 | APK signature authentication method and APK signature authentication system |
CN105743910A (en) * | 2016-03-30 | 2016-07-06 | 福建联迪商用设备有限公司 | Method and system for installing programs through digital signatures |
CN105787357A (en) * | 2016-03-28 | 2016-07-20 | 福建联迪商用设备有限公司 | APK (Android Package) downloading method and system based on Android system |
CN106209379A (en) * | 2016-07-04 | 2016-12-07 | 江苏先安科技有限公司 | A kind of Android APK countersignature verification method |
CN106355081A (en) * | 2016-09-07 | 2017-01-25 | 深圳市新国都支付技术有限公司 | Android program start verification method and device |
CN106375095A (en) * | 2016-09-02 | 2017-02-01 | 中科信息安全共性技术国家工程研究中心有限公司 | Method of protecting integrity of APK |
CN106372503A (en) * | 2016-09-07 | 2017-02-01 | 深圳市新国都支付技术有限公司 | Method and device for enhancing APK (Android Package) application permission configuration flexibility and system |
-
2017
- 2017-02-24 CN CN201710101261.6A patent/CN106656513B/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140281495A1 (en) * | 2013-03-18 | 2014-09-18 | Samsung Electronics Co., Ltd. | Method and apparatus for performing authentication between applications |
CN104426658A (en) * | 2013-09-02 | 2015-03-18 | ***通信集团公司 | Method and device for performing identity authentication on application on mobile terminal |
US20150200784A1 (en) * | 2014-01-13 | 2015-07-16 | Samsung Electronics Co., Ltd. | Device and method for re-signing application package, and terminal device for running application package |
CN103905207A (en) * | 2014-04-23 | 2014-07-02 | 福建联迪商用设备有限公司 | Method and system for unifying APK signature |
CN103944903A (en) * | 2014-04-23 | 2014-07-23 | 福建联迪商用设备有限公司 | Multi-party authorized APK signature method and system |
CN105391717A (en) * | 2015-11-13 | 2016-03-09 | 福建联迪商用设备有限公司 | APK signature authentication method and APK signature authentication system |
CN105787357A (en) * | 2016-03-28 | 2016-07-20 | 福建联迪商用设备有限公司 | APK (Android Package) downloading method and system based on Android system |
CN105743910A (en) * | 2016-03-30 | 2016-07-06 | 福建联迪商用设备有限公司 | Method and system for installing programs through digital signatures |
CN106209379A (en) * | 2016-07-04 | 2016-12-07 | 江苏先安科技有限公司 | A kind of Android APK countersignature verification method |
CN106375095A (en) * | 2016-09-02 | 2017-02-01 | 中科信息安全共性技术国家工程研究中心有限公司 | Method of protecting integrity of APK |
CN106355081A (en) * | 2016-09-07 | 2017-01-25 | 深圳市新国都支付技术有限公司 | Android program start verification method and device |
CN106372503A (en) * | 2016-09-07 | 2017-02-01 | 深圳市新国都支付技术有限公司 | Method and device for enhancing APK (Android Package) application permission configuration flexibility and system |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107391166A (en) * | 2017-06-05 | 2017-11-24 | 深圳市优***科技股份有限公司 | The installation method and system of Android applications, computer installation and readable storage medium storing program for executing |
CN107391166B (en) * | 2017-06-05 | 2022-01-25 | 深圳市优***科技股份有限公司 | Android application installation method and system, computer device and readable storage medium |
CN107273742A (en) * | 2017-06-09 | 2017-10-20 | 广州涉川科技有限公司 | A kind of mandate installation method, barcode scanning payment terminal, server and the system of Android application |
CN107301343A (en) * | 2017-06-19 | 2017-10-27 | 大连中科创达软件有限公司 | Secure data processing method, device and electronic equipment |
CN107769924A (en) * | 2017-09-11 | 2018-03-06 | 福建新大陆支付技术有限公司 | Verify the method and system of POS APK signatures |
CN111787529A (en) * | 2020-07-17 | 2020-10-16 | 江苏海全科技有限公司 | Signature method and system suitable for Android intelligent POS machine application |
CN113221072A (en) * | 2021-04-16 | 2021-08-06 | 江苏先安科技有限公司 | Third party countersignature and verification method based on android system |
CN113922966A (en) * | 2021-10-09 | 2022-01-11 | 上海盛本智能科技股份有限公司 | Secure application installation method based on encrypted storage hardware |
US11750732B1 (en) | 2023-02-20 | 2023-09-05 | 14788591 Canada Inc. | System for introducing features to an in-vehicle infotainment system and method of use thereof |
Also Published As
Publication number | Publication date |
---|---|
CN106656513B (en) | 2019-09-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106656513B (en) | The secondary packing signature verification method of APK file on Android platform | |
CN106209379B (en) | A kind of Android APK countersignature and verification method | |
CN107463806B (en) | Signature and signature verification method for Android application program installation package | |
CN103167491B (en) | A kind of mobile terminal uniqueness authentication method based on software digital certificate | |
CN109726588B (en) | Privacy protection method and system based on information hiding | |
CN107743115B (en) | Identity authentication method, device and system for terminal application | |
CN104680061A (en) | Method and system for verifying code signing during startup of application in Android environment | |
WO2016019790A1 (en) | Verification method, client, server and system for installation package | |
CN105099705B (en) | A kind of safety communicating method and its system based on usb protocol | |
CN102946392A (en) | URL (Uniform Resource Locator) data encrypted transmission method and system | |
KR102013983B1 (en) | Method and server for authenticating an application integrity | |
CN106789075B (en) | POS digital signature anti-cutting system | |
CN104426658A (en) | Method and device for performing identity authentication on application on mobile terminal | |
CN107566413B (en) | Smart card security authentication method and system based on data short message technology | |
CN106897761A (en) | A kind of two-dimensional code generation method and device | |
CN110096849A (en) | A kind of License authorization and authentication method, device, equipment and readable storage medium storing program for executing | |
CN110135149A (en) | A kind of method and relevant apparatus of application installation | |
CN106709281B (en) | Patch granting and acquisition methods, device | |
CN105721154A (en) | Encryption protection method based on Android platform communication interface | |
US11444935B2 (en) | Certificate-based client authentication and authorization for automated interface | |
CN111435389A (en) | Power distribution terminal operation and maintenance tool safety protection system | |
EP3193262A1 (en) | Database operation method and device | |
KR102519828B1 (en) | Circuit chip and its operating method | |
KR100458515B1 (en) | System and method that can facilitate secure installation of JAVA application for mobile client through wireless internet | |
KR20130100032A (en) | Method for distributting smartphone application by using code-signing scheme |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |