Understanding new APK Signature Scheme V2?

There are lots of updates comes for Android developers in Android Studio now and then with improvements for the developers. And there may be a chance that it would be missed because some of the changes are done under the hood.

If you are using Android Studio 2.2 or higher, you must have come across the option of V1 & V2 in Signature Versions selection while generating a signed APK: Yes there are now 2 options available.

• Signature Version V1 (Jar Signature)
• Signature Version V2 (Full APK Signature)

Signing of an Application allows a developer to get the ownership of the app. It allows the developer to identify the author and help them to update the application without any complex process and permissions.

Understanding V1 (Jar Signature)

Signature Version V1 (Jar Signature) is the default one which we are using and it is based on signing JAR. V1 Signature is not capable to protect some part of the APK like Zip metadata. The APK verifier needs to process whole APK and has to discard the data which is not covered by the signature. This invites the attacker, due to which, the signature scheme APK verifier needs to uncompress all compressed data, as a result of which the processing time and memory requirements become higher. To address this issue, Android 7.0 introduced V2 Signature scheme.

Understanding V2 (Full APK Signature)

Signature Version V2 (Full APK Signature) was introduced to solve the issues identified in Version V1. Signature Version V2 helps to maintain the integrity of the full APK. It is the whole-file signature scheme which helps to increase the speed of verification and provides the guaranteed integrity by detecting changes at the secured part of the APK.

How does it all work?

In the Signature version V2, the content of the APK are hashed and then signed. After that the resulting APK signing block is inserted into the APK. I.e. APK signing block is inserted just before the ZIP Central directory section. In the APK signing block, signer identity and v2 signature information are being stored.

Source: https://source.android.com/security/images/apk-before-after-signing.png

The new Signature Scheme V2 is backward compatible if the APK is signed with V1 before V2 and that is the reason that APK signing block is developed separately. If the device has older version than Android 7.0, it will just ignore the APK signing block.

How is the APK verified when signed by Signature scheme V2?

At the time of the verification, V2 scheme treat the whole file as the single file i.e. Binary Large Object (BLOB) and verifies all the signature across it. If is there is any modification happened event the ZIP metadata, it will be invalidated the APK. Since this is a faster verification process and safer compared to V1, it reduces the installation time.

Source: https://source.android.com/security/images/apk-validation-process.png

The new Signature scheme V2 (Full APK signature) increases the security of the app in terms of integrity and also makes it faster to install, which could drive more developer installs and to earn more money ;)

References:
1. https://source.android.com/security/apksigning/
2. https://source.android.com/security/apksigning/v2
3. https://android-developers.googleblog.com/2016/11/understanding-apk-packaging-in-android-studio-2-2.html