Is it possible to decompile a signed apk (say, signed with keystore A), modify its code, recompile and sign it using a different keystore (say, keystore B)?
Will such an apk be installed and run on a device?
Asked
Active
Viewed 9,754 times
1
Aayush Taneja
- 511
- 7
- 18
-
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Android Enthusiasts Stack Exchange](http://android.stackexchange.com/) would be a better place to ask. – jww Jun 12 '18 at 03:15
1 Answers
12
Yes, it is possible and it is exactly what happens when an app is put on black market. Of course this happens especially to people who don't care about securing their apk
I'll follow your steps giving you a highlight point by point but you are totally responsible of what you will end up doing with all of this
1) decompile a signed apk
This step is usually centered on applying the apktool command on the original apk:
apktool d app_to_tamper.apk
This will generate a folder, say the app_to_tamper_folder
2) modify its code -> I'm not gonna add anything here
3) recompile
This step is usually centered on applying the next apktool command on the modified apk [actually on its folder]:
apktool b app_to_tamper_folder
From the last command you will get back an unsigned tampered_app.apk produced in the app_to_tamper_folder/dist directory
4) sign it
First of all you MUST sign the tampered_app.apk or once you will try to run it on your phone it will not work. There are at least two methods to do this. The most common is based on this command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore $YOUR-KEY-STORE-PATH $UNSIGN-APK-PATH $ALIAS-NAME
so for example [here I'm signing with the debug.keystore]:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore debug.keystore tampered_app.apk androiddebugkey
Optionally you can verify the apk
jarsigner -verify -verbose -certs $UNSIGN-APK-PATH
5) optimize it
This step is based on a tool called zipalign and the following command:
zipalign -v 4 $UNSIGN-APK-PATH $OUTPUT-APK-PATH
so for example:
zipalign -v 4 tampered_app.apk final_tampered_app.apk
Basically it aligns all the uncompressed data within the APK, such as images or raw files. This will reduce in the amount of RAM consumed when running the application. More info can be found on the Android official documentation here. Please note that depending on the tool you will choose to sign you may have to apply this command with a different timeline
At this point you got the final_tampered_app.apk which is ready to be installed and run on phone
6) Bonus
As I was saying this happens especially to those people who don't even try to protect the apk. Android Studio natively support a tool - ProGuard - which is capable of providing a basic obfuscation. This will NOT be enough to save you from the damages of an attacker as I showed extensively in another post of mine but for sure it will make the app tampering immediately more difficult
In order to have a much more robust protection go with some paid tools, especially when the app contains sensitive data [e.g. healthcare, fintech, etc]. This will prevent a bad reputation to you/your company/your app and will increase the trust and safety of your users. Better safe than sorry, especially nowadays
Antonino
- 3,178
- 3
- 24
- 39
-
I have found some solutions to make it difficult to mess with the backend database : 1. Create an api and make it reject malicious requests 2. Keep database keys on api 3. Add class level permissions and ACLs on database. Can you suggest any more solutions to protect the database from attacks such as deleting database or fetching all the data or even malicious queries? – Aayush Taneja Jun 14 '18 at 09:20