Android :Signing in android app with system signature
It was my mistake to not analyze it further, I tried installing it withadb install -r ".apk"
and found the exact error, which is "signatures are not matching". Then I contacted the manufacturer and the problem was solved.
How to sign Android app with system signature?
Finally I managed to discover a way to sign my application with the platform signature. You need to use keys located in <root-of-android-source-tree>/build/target/product/security/
and add android:sharedUserId="android.uid.system"
in your AndroidManifest.xml file.
Details from this google groups thread:
On top of signing Android 1.6 for Dream with certificates generated by
myself, I've also managed to sign my app with the platform certificate
and run it with the system sharedUserId. These are the steps I took:
- Build and flash to your Dream your own Android using https://web.archive.org/web/20081211205758/http://source.android.com:80/documentation/building-for-dream. Use the
mkkey.sh script on
https://web.archive.org/web/20091213215940/http://pdk.android.com/online-pdk/guide/release_keys.html to create
new certificates, including x509 certificates before you do 'make'.- In the
AndroidManifest.xml
of your application: under the<manifest>
element, add the attributeandroid:sharedUserId="android.uid.system"
.- Export an unsigned version of your Android application using Eclipse: right-click on the project >> Android Tools >> Export
Unsigned Application Package.Use
<root-of-android-source-tree>/out/host/<your-host>/framework/signapk.jar
to sign your app usingplatform.x509.pem
andplatform.pk8
in<root-of-android-source-tree>/build/target/product/security
generated earlier:java -jar signapk.jar platform.x509.pem platform.pk8 YourApp-unsigned.apk YourApp-signed.apk.
Install the app to your device:
adb install YourApp-signed.apk
- Run your app
- Use
adb shell ps
to confirm that your app is running as system.
Signing my android application as system app
Well below is your answer,
You can find platform keys from
HERE. The command to sign apk (for linux) is:java -jar signapk.jar -w platform.x509.pem platform.pk8 APPLICATION.apk APPLICATION_sign.apk
onward Android 10 lib64 library path need to provided which can be found at
android/out/host/linux-x86
after generating a successful build, one can copy folder or simply provide its path to generate sign APKjava -Djava.library.path="<path to lib64>" -jar signapk.jar -w platform.x509.pem platform.pk8
If you sign your apk with platform keys you won't required root access you can simply install it from "adb install" command, and yes in someway it is like root 'cos it can access all internal api but keep in mind if your app is system signed then you can't write external storage.
First of all don't combine both root is user where system app is application type which distinguish from normal application below link might clear your confusion regarding it.
what-is-the-difference-between-android-user-app-with-root-access-and-a-system-ap
Android APK signed with PLATFORM key not given system privileges?
What @Mark mentions is correct to some extent, for system apps.
I think you are doing something else wrong.
I have tried this with system apps as well, and as long it was signed with the platform keystore, it works. Now this was on Android 8 and Android 9. You haven't mentioned the AOSP version running the device.
That changes things AFAIK, so if it's AOSP 10+, it might behave differently.
Also the other comments are missing another key thing SELinux. SELinux is not permissive for user builds. Verity is enabled, and you cannot have root access. So you cannot push the app into /system/priv-app/
or push it into /vendor/app/
.
You cannot access system resources without proper SE Policy files. You can check the logs yourself, to see avc denied
messages.
I think overall what you are seeing should be inline with AOSP's security ideals. An app signed with System keys should not be able to get system permissions. It also needs to be located in the correct place, either as a privileged app or vendor app. Such apps need to be whitelisted. There's a built in script in AOSP source to even generate the permissions for whitelisting (it produces the required xml)
There's two classes of system apps, /system/app/
and /system/priv-app/
The privileged apps are the only ones that get signature level permissions, and according to newer versions of android, you need to enable whitelisting in the /system/etc/priv_app-permissions_device_name
.
If you make any changes to the system or vendor when verity is enabled, firstly they are mounted read only, but somehow if you do make a change, the device will brick itself. This is the security feature. All custom development needs to be done in userdebug builds with SELinux in permissive mode, and then all the permissions need to be predefined, SE Policies fine tuned to utmost minimal, only then the user build can function normally. User build is not at all suitable for AOSP development activities, even if it's just for testing or trying out a single app.
User build is production type build that the end user can use and is not for development. It's the most secure form of android, so if you have platform keys, it may never be enough.
All that being said, I'm sure you don't have the right keys. Just pull an app from system/priv-app/
and use keytool
or similar to check it's signature, and then try to match with your release apk.
It's little complicated as it is, and kind of hard to explain and there are levels of permissions also in android, so if you aren't following a specific approach/path, you will not be able to get it to work.
Related Topics
How to Add Parameters to API (Http Post) Using Okhttp Library in Android
Folder Added on Android Is Not Visible via Usb
Adding Multiple Markers in Google Maps API V2 Android
Error: Mapfragment Cannot Be Cast to Android.Support.V4.App.Fragment
How to Change Action Bar Actions Dynamically
Google Drive API Doesn't Play Well with Proguard (Npe)
Moving from One Activity to Another Activity in Android
How to Create Ripple Effect for Pre-Lollipop
Android Studio: Default Project Directory
Android Custom Layout - Ondraw() Never Gets Called
How to Detect Bluetooth State Change Using a Broadcast Receiver
Fragmentactivity Cannot Be Resolved to a Type
Page Scroll When Soft Keyboard Popped Up
Upload an Image Using Google Volley
How to Launch the 'Add Contact' Activity in Android
"This App Is Not Authorized to Use Firebase Authentication" in Emulator