Reputation: 561
Decompile a signed apk, modify and recompile usiing different keystore than that of the original signed apk?
Is it possible to decompile a signed apk (say, signed with keystore A), modify its code, recompile and sign it using a different keystore (say, keystore B)?
Will such an apk be installed and run on a device?
Upvotes: 1
Views: 10644
Answers (1)
Reputation: 3258
Yes, it is possible and it is exactly what happens when an app is put on black market. Of course this happens especially to people who don't care about securing their apk
I'll follow your steps giving you a highlight point by point but you are totally responsible of what you will end up doing with all of this
1) decompile a signed apk
This step is usually centered on applying the apktool command on the original apk:
apktool d app_to_tamper.apk
This will generate a folder, say the app_to_tamper_folder
2) modify its code -> I'm not gonna add anything here
3) recompile
This step is usually centered on applying the next apktool command on the modified apk [actually on its folder]:
apktool b app_to_tamper_folder
From the last command you will get back an unsigned tampered_app.apk produced in the app_to_tamper_folder/dist directory
4) sign it
First of all you MUST sign the tampered_app.apk or once you will try to run it on your phone it will not work. There are at least two methods to do this. The most common is based on this command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore $YOUR-KEY-STORE-PATH $UNSIGN-APK-PATH $ALIAS-NAME
so for example [here I'm signing with the debug.keystore]:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore debug.keystore tampered_app.apk androiddebugkey
Optionally you can verify the apk
jarsigner -verify -verbose -certs $UNSIGN-APK-PATH
5) optimize it
This step is based on a tool called zipalign and the following command:
zipalign -v 4 $UNSIGN-APK-PATH $OUTPUT-APK-PATH
so for example:
zipalign -v 4 tampered_app.apk final_tampered_app.apk
Basically it aligns all the uncompressed data within the APK, such as images or raw files. This will reduce in the amount of RAM consumed when running the application. More info can be found on the Android official documentation here. Please note that depending on the tool you will choose to sign you may have to apply this command with a different timeline
At this point you got the final_tampered_app.apk which is ready to be installed and run on phone
6) Bonus
As I was saying this happens especially to those people who don't even try to protect the apk. Android Studio natively support a tool - ProGuard - which is capable of providing a basic obfuscation. This will NOT be enough to save you from the damages of an attacker as I showed extensively in another post of mine but for sure it will make the app tampering immediately more difficult
In order to have a much more robust protection go with some paid tools, especially when the app contains sensitive data [e.g. healthcare, fintech, etc]. This will prevent a bad reputation to you/your company/your app and will increase the trust and safety of your users. Better safe than sorry, especially nowadays
Upvotes: 12
Related Questions
- Can Someone Sign Their App With A Keystore File From Your Reverse Engineered APK?
- Using keystore to generate signed APK
- How can I create a signed APK from a keystore that is not my own?
- can I decompile a signed and installed android app?
- Updating app with different key
- Generating a Signed APK "Keystore was tampered with"
- Can we upload apk with different signed keystore after deactivate current apk in android
- Android - change app signature (keystore + key)
- Change a signed apk version code
- Decompile apk using the keystore that signed it