What is the process for making a signed APK?

jarSigner || apkSigner || zipAlign

Photo by The Average Tech Guy on Unsplash

What is APK Signing?

APK signing is the process of digitally signing an Android application package (APK) file. This process ensures that the APK has not been tampered with or altered since it was signed. Android requires all APKs to be signed before they can be installed on a device.

Android Studio provides in-build tools to make signed APKs. But if you are required to create a signed APK manually you can follow below mentioned steps

Creating a signed APK (Android Application Package) involves several steps. Here’s a simplified process, including the use of the “jar signer” and “zipalign” tools

1. Develop Your App: First, develop your Android app in Android Studio or another development environment.
2. Build Your App: In Android Studio, select “Build” from the top menu and choose “Build Bundle(s) / APK(s).” This will generate an unsigned APK.
3. Generate a Keystore: You need a keystore file to sign your APK. If you don’t have one, you can generate it using the keytool command. For example:

keytool -genkey -v -keystore my-release-key.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias my-key-alias

4. Sign the APK: To sign your APK, use the “jarsigner” tool, which is part of the Java Development Kit (JDK). The command might look like this:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my-app-unsigned.apk my-key-alias

5. Verify the Signature: You can verify the signature using the following command:

jarsigner -verify -verbose -certs my-app-unsigned.apk

6. Zipalign the APK: The “zipalign” tool aligns the APK file’s data to 4-byte boundaries, which can improve performance. Use it like this:

zipalign -v 4 my-app-unsigned.apk my-app-signed.apk

After completing these steps, you’ll have a signed and optimized APK ready for distribution. Make sure to keep your keystore file and its password secure, as they are needed for future updates or to publish your app on the Google Play Store.

jarSigner

In Android and Java development, jarSigner is a command-line tool that is used to digitally sign Java Archive (JAR) files, including Android application packages (APKs) as they are essentially ZIP files containing various components, including JAR files.

Here’s what jarSigner is used for:

1. Digital Signing: It is used to apply a digital signature to JAR files. This process involves using a private key to create a digital signature, which can be verified using the associated public key. This signature helps ensure the integrity and authenticity of the JAR file.
2. Security: Digital signatures are crucial for security in Android app distribution. When you release an app on Google Play or other platforms, it’s important to sign the APK with a private key. This allows users to verify that the app hasn’t been tampered with and that it indeed comes from a trusted source.
3. Verification: Developers and users can verify the authenticity of an app by checking its digital signature. This is an important part of app security, especially when downloading apps from external sources.
4. Integration with the Keystore: jarSigner typically works in conjunction with the Java keystore, where the private key used for signing the JAR files is stored securely.

In Android development, you use jarSigner as part of the process to create a signed APK for your app, which is necessary for distributing the app through app stores or other means.

Apksigner

The apkSigner tool, available in revision 24.0.3 and higher of the Android SDK Build Tools, lets you sign APKs and confirm that an APK’s signature will be verified successfully on all versions of the Android platform supported by that APK.

What is the difference between jarSigner and apkSigner?

jarSigner is designed for signing JAR files and does not know anything about APKs and Android, whereas apkSigner is designed for signing APK files and knows what requirements Android places on APK signatures.

For example, jarsigner does not produce APK Signature Scheme v2 signatures introduced in Android 7.0 (Nougat), whereas apkSigner does. Another example is that jarSigner does not know that APKs that need to run on API Level 17 or lower must not use SHA-256 digests in their signatures, whereas apkSigner knows that.

If you want to sign an APK using one of these tools, use apkSigner.

Zipalign

The zipalign tool is a command-line utility in Android development that optimizes Android application packages (APKs). This tool aligns the data in the APK file to 4-byte boundaries, which makes the APK more memory-efficient and faster to load by reducing the amount of RAM it consumes during runtime.

zipalign is a zip archive alignment tool that helps ensure that all uncompressed files in the archive are aligned relative to the start of the file. This lets the files be accessed directly via mmap(2) , removing the need to copy this data in RAM and reducing your app's memory usage.

Use zipalign to optimize your APK file before distributing it to end users. If you build using Android Studio, which uses the Android Gradle plugin (AGP), this is done automatically. In this case, you should still use zipalign to verify that the APK is aligned, but you don't need to align it.

Here’s why zipalign is important and what it does:

1. Memory Optimization: Aligning the data structures within the APK to 4-byte boundaries allows the Android operating system to load the data more efficiently. This results in reduced memory usage, which is crucial for the performance of Android apps, especially on devices with limited resources.
2. Performance Improvement: Memory alignment can lead to faster execution and reduced overhead. When the APK is correctly aligned, it requires fewer CPU cycles and less RAM to load, improving the app’s overall performance.
3. Requirement for Google Play: If you plan to distribute your Android app on the Google Play Store, it’s a requirement to have your APK files zip-aligned. Google Play will not accept APKs that are not properly aligned.

The zipalign tool typically comes with the Android SDK (Software Development Kit), and it's used as a final step in the APK generation process after signing the APK with a digital certificate. Properly aligned APKs are essential for optimizing the performance and user experience of Android applications.

Caution: You must use zipalign it at a specific point in the build process. That point depends on which app-signing tool you use:

• If you use apksigner, zipalign must be used before the APK file has been signed. If you sign your APK using apksigner and make further changes to the APK, its signature is invalidated.
• If you use jarsigner (not recommended), zipalign must be used after the APK file has been signed.

So how does Zipalign exactly work?

In an Android operating environment, data files stored in each application package are accessed by multiple processes, for example, the installer will read the data manifest to determine the associated permissions; the system server can read these resources for multiple reasons, like displaying notifications; the Home application, for example, will read resources to get the application’s name and icon. Since Android is based on a true multi-tasking operating infrastructure, these files are continually and repeatedly accessed. Finally, but not least, the application itself reads the manifest data.

As Android is Linux-based, memory mapping plays a key role in the efficient handling of processes. Essentially, the optimal alignment for the Android OS’ resource-handling code is 4-byte boundaries. What this means is that, if APKs are memory-mapped to 4-byte boundaries, and aligned accordingly, the OS will not need to ‘read through’ the whole application package to get to the desired data manifest. Every system process will know in advance where to look for its desired resources and hence will execute much smoothly and faster.

Summing it up, zipaligning an APK results in all uncompressed data within the package to be aligned on 4-byte boundaries, allowing all portions to be accessed directly with the memory-map. RAM consumption is lowered while execution because the querying code doesn’t have to read through the entire application package.

Disadvantages of Unaligned APKs

Quite understandably, this situation would be reserved for unaligned application packages. Resource reading would be slow and memory usage would be on the higher end of the spectrum. It would also depend on how many unaligned applications are present. For example, if less number of applications with an unaligned home application, you’d see slower application launch times. This is the best case scenario. For a worst case scenario, having a number of unaligned applications will result in the system repeatedly starting and killing processes, struggling with lags, and a huge battery drain.

Important Links

1. https://developer.android.com/tools/zipalign
2. https://docs.oracle.com/javase/8/docs/technotes/tools/windows/jarsigner.html
3. https://developer.android.com/tools/apksigner