Android Security, Signing and Publishing
Upcoming SlideShare
Loading in...5
×
 

Android Security, Signing and Publishing

on

  • 2,773 views

 

Statistics

Views

Total Views
2,773
Slideshare-icon Views on SlideShare
2,771
Embed Views
2

Actions

Likes
1
Downloads
46
Comments
0

1 Embed 2

http://www.verious.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Android Security, Signing and Publishing Android Security, Signing and Publishing Presentation Transcript

    • Signing  and  Deploying     Android  Applica1ons   Jussi  Pohjolainen  Tampere  University  of  Applied  Sciences  
    • Security  and  Permissions  •  Basic  Linux  security   –  Each  app  runs  in  their  own  process   –  Android  package  (.apk)  file  is  given  its  own  unique   Linux  user  ID,  crea1ng  a  sandbox  and  prevents  it   from  touching  other  apps  •  Permission  mechanism   –  Enforces  restric1ons  on  the  specific  opera1ons   that  a  par1cular  process  can  perform   –  Internet,  GPS  ...  
    • Permissions  •  App  has  no  permissions  by  default  •  You  can  add  permissions  in  the  manifest    <uses-permission android:name="android.permission.INTERNET" />
    • App  Signing,  Overview  •  All  apps  must  be  digitally  signed  with   cer3ficate   –  Iden1fying  the  author  of  the  app  •  Typically  self  signed  •  Debug  key  for  debugging  •  Suitable  private  key  when  publishing  •  Crea1ng  keys  and  signing:  Keytool  and   Jarsigner  
    • Debug  Mode  •  While  debugging  and  tes1ng,  you  can  compile   in  debug  mode  •  Build  tools  uses  the  Keytool  u1lity  to  generate   a  key  with  known  alias  and  password.  Key  is   used  to  sign  the  .apk  file  •  Developer  does  not  have  worry  about  this,  if   using  Eclipse!  
    • Release  Mode  •  When  ready  to  release,  developer  must  sign   the  .apk  with  your  private  key  •  How?  Two  op1ons:   –  Using  Keytool  and  Jarsigner  in  command-­‐line.   Keytool  generates  private  key  and  Jarsigner  signs   the  .apk  with  the  key   –  Using  ADT  Export  Wizard  with  Eclipse  (same  than   above  but  with  GUI)  
    • Signing  for  Public  Release  1.  Obtain  suitable  private  key  2.  Compile  the  applica1on  in  release  mode  3.  Sign  your  applica1on  with  private  key  4.  Align  the  final  APK  package  
    • Obtain  Suitable  Private  Key  •  Private  key   –  Is  in  your  possession  and  represents  your  personal   or  corporate  en1ty   –  Validity  period  is  expected  lifespan  of  your  app   •  Recommenda1on:  over  25  years   •  Android  Market:  apps  must  have  validity  period  ending   a^er  22.10.2033   –  Its  not  the  debug  key    
    • Obtain  Suitable  Private  Key  •  How  to  generate  private  key?  •  Use  keytool   –  > keytool -genkey -v -keystore my- release-key.keystore -alias alias_name - keyalg RSA -keysize 2048 -validity 10000
    • TB308POHJUS-L-2:temp pohjus$ keytool -genkey -v -keystore my-release-key.keystore -alias my-alias -keyalg RSA -keysize 2048 -validity 10000Enter keystore password:Re-enter new password:What is your first and last name? [Unknown]: Jussi PohjolainenWhat is the name of your organizational unit? [Unknown]: TMI Jussi PohjolainenWhat is the name of your organization? [Unknown]: TMI Jussi PohjolainenWhat is the name of your City or Locality? [Unknown]: TampereWhat is the name of your State or Province? [Unknown]: FinlandWhat is the two-letter country code for this unit? [Unknown]: FIIs CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FI correct? [no]: yesGenerating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days for: CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FIEnter key password for <my-alias> (RETURN if same as keystore password):[Storing my-release-key.keystore]TB308POHJUS-L-2:temp pohjus$ ls -altotal 88drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 .drwx------+ 46 pohjus staff 1564 9 Tam 16:43 ..-rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystoreTB308POHJUS-L-2:temp pohjus$
    • Signing  for  Public  Release  1.  Obtain  suitable  private  key  2.  Compile  the  applica3on  in  release  mode  3.  Sign  your  applica1on  with  private  key  4.  Align  the  final  APK  packate  
    • Compiling  using  Release  Mode  
    • TB308POHJUS-L-2:temp pohjus$ ls -altotal 88drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 .drwx------+ 46 pohjus staff 1564 9 Tam 16:43 ..-rw-r--r-- 1 pohjus staff 16435 9 Tam 18:28 BMI.apk-rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystoreTB308POHJUS-L-2:temp pohjus$
    • Signing  for  Public  Release  1.  Obtain  suitable  private  key  2.  Compile  the  applica1on  in  release  mode  3.  Sign  your  applica3on  with  private  key  4.  Align  the  final  APK  packate  
    • Sign  your  applica1on  with  private  key  •  You  now  have  the  private  key  and  the  .apk   file.  •  Sign  the  .apk  with  the  private  key  using   jarsigner  •  > jarsigner -verbose -keystore my-release- key.keystore my_application.apk alias_name
    • TB308POHJUS-L-2:temp pohjus$ jarsigner -verbose -keystore my-release-key.keystoreBMI.apk my-aliasEnter Passphrase for keystore: adding: META-INF/MY-ALIAS.SF adding: META-INF/MY-ALIAS.RSA signing: res/layout/main.xml signing: AndroidManifest.xml signing: resources.arsc signing: res/drawable-hdpi/icon.png signing: res/drawable-ldpi/icon.png signing: res/drawable-mdpi/icon.png signing: classes.dex
    • Signing  for  Public  Release  1.  Obtain  suitable  private  key  2.  Compile  the  applica1on  in  release  mode  3.  Sign  your  applica1on  with  private  key  4.  Align  the  final  APK  packate  
    • Align  the  final  APK  Package  •  zipalign  tool  ensures  op1mizes  the  package   for  running  in  device:  reduc1on  of  in  the   amount  of  ram  •  > zipalign -v 4 your_project_name- unaligned.apk your_project_name.apk
    • TB308POHJUS-L-2:temp pohjus$ /Developer/android-sdk-mac_x86/tools/zipalign -v 4BMI.apk BMI-ready-to-go.apkVerifying alignment of BMI-ready-to-go.apk (4)... 50 META-INF/MANIFEST.MF (OK - compressed) 426 META-INF/MY-ALIAS.SF (OK - compressed) 897 META-INF/MY-ALIAS.RSA (OK - compressed) 2021 META-INF/CERT.SF (OK - compressed) 2440 META-INF/CERT.RSA (OK - compressed) 3142 res/layout/main.xml (OK - compressed) 3693 AndroidManifest.xml (OK - compressed) 4296 resources.arsc (OK) 5916 res/drawable-hdpi/icon.png (OK) 9940 res/drawable-ldpi/icon.png (OK) 11536 res/drawable-mdpi/icon.png (OK) 13777 classes.dex (OK - compressed)Verification succesfulTB308POHJUS-L-2:temp pohjus$ ls -altotal 88drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 .drwx------+ 46 pohjus staff 1564 9 Tam 16:43 ..-rw-r--r-- 1 pohjus staff 16443 9 Tam 18:30 BMI-ready-to-go.apk-rw-r--r-- 1 pohjus staff 16435 9 Tam 18:28 BMI.apk-rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystoreTB308POHJUS-L-2:temp pohjus$
    • And  Install  using  ADB  TB308POHJUS-L-2:temp pohjus$ /Developer/android-sdk-mac_x86/platform-tools/adb install BMI-ready-to-go.apk700 KB/s (16443 bytes in 0.022s) pkg: /data/local/tmp/BMI-ready-to-go.apkSuccessTB308POHJUS-L-2:temp pohjus$
    • Publishing  to  Android  Market  
    • Or  just  use  Eclipse