App signing allows developers to identify the author of the app and to update their app without creating complicated interfaces and permissions. Every app that is run on the Android platform must be signed by the developer. Apps that attempt to install without being signed are rejected by either Google Play or the package installer on the Android device.
On Google Play, app signing bridges the trust Google has with the developer and the trust the developer has with their app. Developers know their app is provided, unmodified, to the Android device; and developers can be held accountable for behavior of their app.
On Android, app signing is the first step to placing an app in its Application Sandbox. The signed app certificate defines which user ID is associated with which app; different apps run under different user IDs. App signing ensures that one app can't access any other app except through well-defined IPC.
When an app (APK file) is installed onto an Android device, the Package Manager verifies that the APK has been properly signed with the certificate included in that APK. If the certificate (or, more accurately, the public key in the certificate) matches the key used to sign any other APK on the device, the new APK has the option to specify in the manifest that it shares a UID with the other similarly signed APKs.
Apps can be signed by a third-party (OEM, operator, alternative market) or self-signed. Android provides code signing using self-signed certificates that developers can generate without external assistance or permission. Apps don't have to be signed by a central authority. Android currently doesn't perform CA verification for app certificates.
Apps are also able to declare security permissions at the Signature protection level, restricting access only to apps signed with the same key while maintaining distinct UIDs and Application Sandboxes. A closer relationship with a shared Application Sandbox is allowed using the shared UID feature where two or more apps signed with same developer key can declare a shared UID in their manifest.
APK signing schemes
Android supports three app signing schemes:
- v1 scheme: based on JAR signing
- v2 scheme: APK Signature Scheme v2, which was introduced in Android 7.0.
- v3 scheme: APK Signature Scheme v3, which was introduced in Android 9.
For maximum compatibility, sign apps with all schemes, first with v1, then v2, and then v3. Android 7.0+ and newer devices install apps signed with v2+ schemes more quickly than those signed only with v1 scheme. Older Android platforms ignore v2+ signatures and thus need apps to contain v1 signatures.
JAR signing (v1 scheme)
APK signing has been a part of Android from the beginning. It is based on signed JAR. For details on using this scheme, see the Android Studio documentation on Signing your app.
v1 signatures don't protect some parts of the APK, such as ZIP metadata. The APK verifier needs to process lots of untrusted (not yet verified) data structures and then discard data not covered by the signatures. This offers a sizeable attack surface. Moreover, the APK verifier must uncompress all compressed entries, consuming more time and memory. To address these issues, Android 7.0 introduced APK Signature Scheme v2.
APK signature scheme v2 and v3 (v2+ scheme)
Devices running Android 7.0 and later support APK signature scheme v2 (v2 scheme) and later. (v2 scheme was updated to v3 in Android 9 to include additional information in the signing block, but otherwise works the same.) The contents of the APK are hashed and signed, then the resulting APK signing block is inserted into the APK. For details on applying the v2+ scheme to an app, see APK Signature Scheme v2.
During validation, v2+ scheme treats the APK file as a blob and performs signature checking across the entire file. Any modification to the APK, including ZIP metadata modifications, invalidates the APK signature. This form of APK verification is substantially faster and enables detection of more classes of unauthorized modifications.
The new format is backwards compatible, so APKs signed with the new signature format can be installed on older Android devices (which simply ignore the extra data added to the APK), as long as these APKs are also v1-signed.
Whole-file hash of the APK is verified against the v2+ signature stored in the APK signing block. The hash covers everything except the APK signing block, which contains the v2+ signature. Any modification to the APK outside of the APK signing block invalidates the APK's v2+ signature. APKs with stripped v2+ signature are rejected as well, because their v1 signature specifies that the APK was v2-signed, which makes Android 7.0 and newer refuse to verify APKs using their v1 signatures.
For details on the APK signature verification process, see the Verification section of APK Signature Scheme v2.