Security Metadata in Android APK

Question

As mentioned in this blog post- Google to add new security metadata on top of each APK file starting from 2018 to verify the android application installed via Google Play Store.

My question: Is this metadata related with jarsigner & apksigner or Google to put this metadata when the application APK uploaded to Play Store in order to distribute? No detailed information found on the blog post or any other source. Thanks in advance.

Answer 1

I have reverse-engineered the signature mechanism here: https://github.com/avast/apkverifier/blob/master/signingblock/frosting.go

It's called "frosting" internally and it is aimed mainly at P2P sharing of APKs. It is implemented in the Play Store APK, not the Android OS. Besides being signed by a key, play store also contains a "blacklist" of package names that can be marked as "not allowed" (currently empty).

The frosting is independent of the signing scheme - for example com.facebook.orca still uses scheme v1 but has frosting.

The frosting block is added by Play Store, so it proves that particular file was downloaded from Play Store, but not all APKs have it yet - APKs that were not updated recently are missing it. Also, sources like apkmirror.com might be getting APKs directly from developers, before they upload them to the Play store, so those will be missing frosting too.

Curiously, the frosting includes a metadata chunk encoded using protbuf. The structure is rather complex, it contains data like signing timestamp, versionCode, minSdkVersion and many more.

The Google Photos APK has metadata that contain string com.google.android.apps.photos.PIXEL_2018_PRELOAD. The string seems to suggest that the APK was part of factory image, but the APK from my own phone (which is not a pixel) also has this string.

APKs inside Pixel 2 (XL) 9.0 factory images do not have frosting.

Answer 2

• 0x7109871a: sign v2 (https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java#73)
• 0xf05368c0: sign v3 (https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeSigner.java#62)
• 0x2146444e: google's security metadata, seems no drm data, i.e it's same for all users (of cousre, same versioned apk)
• 0x42726577: padding (https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java#72)

Answer 3

Neither jarsigner nor apksigner will be adding any such metadata. It appears that it is Google Play that will be adding this metadata, thus "stamping" APKs as "officially distributed by Google Play" (to quote the blog post). This stamping will have to occur at APK upload time or later, when the APK is distributed to installed base / users.

Answer 4

In your linked blog post you should read this:

We'll adjust Play's maximum APK size to take into account the small metadata addition, which is inserted into the APK Signing Block and does not alter the functionality of your app.

So when you sign your apk before upload it to the store Google put this metadata into the APK Signing block. You don't have to worry about it, the signing process does it automatically.