Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can an APK be repacked after a minor text edit?

I'm creating a software that will guide the user through a few steps, to publish an android application (APK file).

The way I am doing this, is that the APK file is already compiled, and all I need to do is replace an XML file in the package, and that will change the behaviour of the application. My big problem now, is that unpacking the apk file, and doing any tiny text edit, and then packing it again, breaks the signature and prevents the application from running on any device, giving a message that the signature is incorrect.

How can I solve this? I want to safely open the APK, write something in a text file, and close it again. Note that this operation will be done on the user's computer (after he purchases our application) so we're look for a command-line tool with no special requirements like JDK.

Any help?

like image 288
Ayman Abdel-Rahman Avatar asked Apr 14 '12 18:04

Ayman Abdel-Rahman


People also ask

Can you Unpackage an APK?

In order to successfully extract an APK file on your Android using this app, follow these steps: Open the APK Extractor app on your Android device. Tap on the APK file you wish to extract. Hit “Save” when prompted.

Can APK file be edited?

To edit the files inside, you'll need to decompile (and then recompile) the package using APKtool on a computer. Editing APK files requires knowledge of Java, as well as the file systems on both Windows and Android. This should only be done by advanced users.


3 Answers

Ok I reached the best "tested" solution - I'm posting it here to save other developers hours of googling. The only downside is that I will require the customer to install JDK on his machine, unfortunately. The reason is because I did not find any apk-signing tool that works purely on windows, without relying on JDK.

I have my android application created using Air, so this makes things easy for me - all of the air files are treated as resource assets. So have your APK archive file ready.

Once you have your modifications ready, put them inside a temporary folder named "assets". You will use the 7-zip command line tool (free: http://sourceforge.net/projects/sevenzip/) to update the contents of your apk. To have it working with your apk you will have to rename your apk's extension to zip - don't worry, you'll change it back later.

Now from a .bat file (or directly in the command prompt) from the location containing both your apk file (zip extensioned) and your assets folder, you'll call: 7za u APK-file.zip assets

Now your apk file is updated. Rename it back to .apk extension

Now you'll use the signAPK tool from here https://code.google.com/p/signapk/ and note that this is the only step requiring JDK installed. It also assumes that you have your key files ready (replace the dummy ones included in the package). Extract the file contents and call: java -jar signapk.jar key.x509.pem key.pk8 [android_app].apk [signed_android_app].apk

At the very end, you may find your signed apk file size drammatically increased. So you need to use the android's zipAlign tool: (darn, can't post the link since new users can only post a maximum of two hyperlinks) you will be calling the command: zipAlign -c 4 [signed_android_app].apk

And voila! That's the route I'm taking.

If someone finds a way to do the signing process without relying on JDK (assuming the key files are ready) please share.

like image 165
Ayman Abdel-Rahman Avatar answered Oct 17 '22 05:10

Ayman Abdel-Rahman


How can I solve this?

You don't. If you modify an APK file, by any means, it must be re-signed.

like image 2
CommonsWare Avatar answered Oct 17 '22 03:10

CommonsWare


Android apk files must be signed. That signature proves that the contents of the apk have NOT BEEN MODIFIED from what was initially published. (Which is exactly what you are doing.) The signature at the same time, also proves who the author is.

So in a normal signed apk file:

  1. You know who the author is. (Even if it's not something you as a human can understand.)
  2. You know the contents were put there by the author, and not modified since.

This is a key security measure built into Android, is there for very good reason, and cannot be overcome. It prevents things like viruses from being embedded inside innocent apk files.

like image 1
starvingmind Avatar answered Oct 17 '22 03:10

starvingmind