How does Android's app/signature verification work?

Question

I want to preface this question with two things so I can narrow down where my actual question is:

a) I've done software dev before, though never for android

b) I'm familiar with PKI and encryptions and hashing and digital signatures and blah blah blah

That being said I'm having trouble tracking down more information about where and how Android verifies app creators. I've heard a lot of different information so I'm trying to synthesize to get a better idea of the workflow.

I know that every app developer gets their own private/public key pair and they sign their apps by hashing the APK (with SHA-1 most of the time if I'm not mistaken) and there you go. You upload it and (I believe) the public key goes in META INF inside the APK. This much I understand.

My question is how this relates to when a user downloads the app itself. I know the phone checks to make sure that the app is validly signed, and that the signature also has information about author and etc included. But I've also read that apps are self signed and that Google Play (or whatever they're calling the Market now) doesn't implement a CA, and that there's no identity authentication? But my question is what, then, stops people from uploading an app under another developers name (crowdsourcing aside)?

If the phone only checks for valid signatures does that imply that the only means of authentication is done when the app is uploaded? And if that's the case how does the app market check it? Is it the usual - use the private key on file and verify the signature? Or does the developer have to provide the market with their private key to authenticate?

Answer 1

In short, Android and Google Play essentially don't care about what's in actual certificate. Google Play will validate it indeed, and check if it is valid for 30 years or more, but they don't really use (at least currently, AFAIK) the actual info in the cert. You could use your own name/company name in the CN, but no one will validate this, and users won't see this info at all. What Android does is:

• check the signature to make sure the APK hasn't been tampered with
• then compare the singing certificate as a binary blob to the one of the currently installed version of the app to make sure that the two versions have been signed with the same key/certificate (e.g., by the same person/company)
• it does the same thing to enforce permission if you are using using sharedUid or signature permissions with two or more apps.

So, to answer your question, someone can easily create a certificate with your name on it, but Android and Google Play don't really care. As long as they don't have your private key, they won't be able produce an app signature that is the same as yours and thus they wouldn't be able to overwrite/update your app with theirs, or get any special permissions.