9

I have read the post titled 'Improving app security and performance on Google Play for years to come'.

In that article, I would like to ask about below the sentence. "Additionally, in early 2018, Play will start adding a small amount of security metadata on top of each APK to further verify app authenticity."

Does it mean the above description is 'APK Signature Scheme v2'. If so, when I have signed it as selecting 'V2 (full APK signature)' is it created the final APK?

In other word, If I create a certain APP in the above way and upload it, will end users download and install it without any changes?

Otherwise, I have questions about "Adding a small amount into "APK Signing Block"".

  1. Could it affect previous APP which don't include new security metadata?

  2. Does Google put this metadata when the application APK uploaded to Play Store? My question is at what point is the security metadata inserted into APK?

'Generated Signed APK' Capture Image:

Robert
  • 39,162
  • 17
  • 99
  • 152
sungho jang
  • 91
  • 2

2 Answers2

4

According to this blog post from June 2018 the authenticity data are already added to apps:

We are now adding a small amount of security metadata on top of APKs to verify that the APK was distributed by Google Play.

The authenticity data is placed at the same point in the ZIP/APK file as the Signature v2 block - after the zipped content and before the ZIP central directory. This does not necessarily means that the authenticity data require an v2 signature - both are just injected data blocks. APK Signature v2 placement

However I have not dissected an downloaded APK file to see if it really has this authenticity data included. It also seems that the necessary tools for verifying this data has not been released yet (or did I miss them?).

Google can add this metadata on Play Store side - whether when the app is uploaded, downloaded are some time between. Therefore even old apps can be equipped with this feature - if Google will do so? We will see.

Adding further data to an APK that has an v1 sig only is simple, because v1 signature only covers the content of the zipped files, not the ZIP structure itself. For v2 the situation is similar: it covers the zipped content including the ZIP entry headers, the central directory and the directory end (see here for hasing details). The signature does not cover the ZIP header or the data between the last content entry and the start of the central directory. Therefore Google can add further data before or after the APK Signing Block without invalidating the signature.

Robert
  • 39,162
  • 17
  • 99
  • 152
  • Hi Robert, thanks for answering. how can google add to apk already signed (with v1/v2) additional metadata?? are they adding addional signature on top of it? if so - isn't that causing mismatch signature when attempt to update from installed apk without this additional signature>? – Tal Kanel Jul 08 '18 at 15:07
  • See the updated last section in my answer on that topic. – Robert Jul 09 '18 at 09:03
  • Thanks for the great explenation. It sounds good and I probably reward it with the bounty soon. just one thing not makes sense here to me: if Google can add staff to the file without affecting the signature, then what stops from everyone else inject same metadata to a file and makes Google play beleive this is an apk came from the play console? – Tal Kanel Jul 09 '18 at 12:51
  • 1
    Google will not add just some meta-data - instead I assume it is a second signature using a Google private key. The v2 signature has the capability to contain multiple signatures. May be Google uses it to add their "Playstore authentic app" signature as a second app signature (that is handled in a special way by the Android on-device signature verification in the package manager). – Robert Jul 09 '18 at 13:31
  • Thanks. how do you know that? and as far as I know - app with two signatures will fail on mismatch signature in cases you will attempt to upgrade from older version with only one signature. – Tal Kanel Jul 09 '18 at 13:40
  • 2
    Also, I just did an experiment: added to google play console new app for testing purposes, and extracted the installed apk. then I compared it to the original apk I uploaded to play store. I saw and additional binary data in the apk extracted from google play, but the signing information extracted with keytool -printcert -file CERT.RSA was the same in both file, and contained only one signature. – Tal Kanel Jul 09 '18 at 14:21
3

Your question is actually found in comments

If Google can add staff to the file without affecting the signature, then what stops from everyone else inject same metadata to a file and makes Google play beleive this is an apk came from the play console?

They are going to add some encrypted signature and will verify the signature through Google Play Services before installing the app whether the APK is downloaded from the Google Play Store or not.

In the article they also mentioned that

You do not need to take any action for this change.

Answering about source of information and delivering apps outside of Google Play

Referred to the Terms of Service https://play.google.com/intl/en-us_us/about/play-terms.html

Malware protection. To protect you against malicious third party software, URLs, and other security issues, Google may receive information about your Device's network connections, potentially harmful URLs, the operating system, and apps installed on your Device through Google Play or from other sources. Google may warn you if it considers an app or URL to be unsafe, or Google may remove or block its installation on your Device if it is known to be harmful to devices, data or users. You can choose to disable some of these protections in the settings on your Device, however, Google may continue to receive information about apps installed through Google Play, and apps installed on your Device from other sources may continue to be analyzed for security issues without sending information to Google.

Android 7.0 now shows if an APK was installed from the Play Store or another source.

enter image description here

Credit: https://www.androidpolice.com/2016/07/18/android-7-0-now-shows-if-an-apk-was-installed-from-the-play-store-or-another-source/

Naveed Abbas
  • 1,157
  • 1
  • 14
  • 37
  • Hi, Thanks for the answer. can you point me to where in official sources did you got this information regarding the encrypted signature that would be verified? I know I should not do anything about that as a developer, it just that the information what exactly happens under the hood is important to me, as my organization deals with delivering apps on android outside Google play. – Tal Kanel Jul 11 '18 at 12:16
  • I've updated the answer, the purpose of this signature is to identify the sources of Apps installed in the phone. It is premature to conclude that they're going to ban the installation from third-party sources and the purpose of this identification is to assist users to know what is the source of App Installation. – Naveed Abbas Jul 12 '18 at 08:05