1. Introduction to signature principles
The signature of the apk simply means that developers can identify and update the application through the signature. The package name is unique on a device, which prevents it from being randomly overwritten and installed by applications with the same package name. This is a very important safety feature.
The signature file in the system also signs the applications in the system. You can specify the signature type when compiling the application.
2. Main signature file types in Android system
media.pk8,media.x509.pem;platform.pk8,platform.x509.pem;releasekey.pk8,releasekey.x509.pem;shared.pk8,shared.x509.pem;testkey.pk8,testkey.x509.pem。
3. The path of the signature file in the Android system
In the build/target/product/security/ directory
4. Configuration of signature files during compilation
Implemented in Android.mk by setting LOCAL_CERTIFICATE.
For example: LOCAL_CERTIFICATE := platform, that is, select platform to sign.
Note: When presetting apk applications without source code, the original third-party signature is often still used, LOCAL_CERTIFICATE := PRESIGNED.
5. Differences between different signature files in the system
- sharedUserId
For each apk or file, the system assigns its own unified user ID (UID), creating a sandbox to ensure that other applications are affected or influenced by other applications. For example: General applications can only access files under their own package name (/data/data/pkgname), but cannot access files under other package names, and other applications cannot access files under their own package name.
sharedUserId, applications with the same user ID can share databases and files and access each other. These applications can run in the same process or in different processes.
2. sharedUserId and signature file
Only applications with the same sharedUserId tag and the same signature can be assigned the same user ID to achieve data sharing. If you just have the same sharedUserId tag, security cannot be ensured and it is easy to be illegally exploited.
3. Description of the five types of signature files in the system
PRESIGNED: Still using the original third-party application signature
platform: the core application signature of the platform, and the signed apk is the core function of the system. The process UID of these apks is system. Add android:sharedUserId="android.uid.system" to the application manifest node.
media: This signed apk is part of media/download. Add android:sharedUserId="android.media" to the application manifest node.
shared: This signed apk can share data with the home/contacts process. Add android:sharedUserId="android.uid.shared" to the application manifest node.
testkey/releasekey: platform default key. If LOCAL_CERTIFICATE is not specified during compilation, testkey is used by default. Because the testkey is public and can be obtained by anyone, it is not safe, so you generally use the releasekey created by yourself as the default key.
Usage example, add LOCAL_CERTIFICATE := PRESIGNED in .mk
Note: Pay attention here. If the application manifest uses android:sharedUserId="android.uid.system", then when integrating the application into the system, LOCAL_CERTIFICATE := platform in the mk file must correspond. Others are similar .