1

I am building something that is like an app store and its market includes Android mobile apps. I do not own a Google Play Developer Console account (yes, I still don't have that $25) but I do know of course that Google Play heavily uses certificates that are put when the APK was signed for release. I am not very sure with this but I think there are at least two (2) reasons why this certificates are important:

  • It is used so that someone cannot upload some people's work. (ex. I won't be able to upload the Google+ APK in my own account because I do not know its certificate details. But I am a little bit confused about this because if what I know is correct, certificates have private and public keys. So, which keys do you give to Google Play? Those who have console accounts can enlighten me about this.)
  • I think it is also useful in a way that, if my Google Play Console account was breached, the hacker cannot upload a new malicious update because again, he cannot copy the certificate (or that is what I think at least, but now I am confused because I remembered that certificates have an expiry date so please enlighten me on this one too.)

So now, this is my real problem. As I said earlier, I am making an app store like website that markets Android apps. Now because of what I said earlier about certificate signing on APKs, I also want to make sure that the developers that will upload their apps really own the app (and so that no one will upload for example, Facebook APK which is obviously are not theirs, and another useful thing with it, is there won't be duplicate apps.)

We are using PHP and would like to stick with PHP as much as possible. Is there a way of doing this with PHP and how? And what keys do the developer need to provide (to be used for verification)? Private keys or public keys (I'm a bit confused about this but I am guessing it's the private keys). Thanks!

EDIT:
I stumbled upon this link, can this be implemented in PHP? Sorry, I'm still not very professional on PHP and I do not know whether terminal commands can be run from it.

Community
  • 1
  • 1
Erwinstein
  • 39
  • 1
  • 12

1 Answers1

1

What are public/private keys?
you can simply search and read many articles about public/private key cryptography.
wikipedia: https://en.m.wikipedia.org/wiki/Public-key_cryptography

What about apk sign usage?
now you should know what key you are looking for and why! but the main reason to sign apk files is to make sure no one except the app owner(developer) can edit the app and publish the edited(cracked) app on market or internet.

Cracking android apps is very simple if you know java programming (except the obfuscated apks). so if someone crack your signed apk, he would have different sign on the apk and Android OS doesn't allow the new signed apk update and replace itself to the older signed apk.


How to read apk sign?
see this article main answer: How do I find out which keystore was used to sign an app?
you asked about using php to get apk sign. actually you can get the RSA file by php. but to get more details you should run Java command(keystore).

Community
  • 1
  • 1
ShayanKM
  • 461
  • 5
  • 13
  • 1
    So this basically means that I have no chance of automatically checking what information is in the RSA using PHP? Is there no way of running shell/console apps like __keytool__ in a PHP script? – Erwinstein Sep 24 '15 at 00:10
  • @CodeHarmonics Clearly you have just one way, having a server which supports Java (jdk installed). you may find some php servers that run java and so you can use java commands like: 'exec("keytool ....");' , Or running two seperate java - php servers and merging their results together. – ShayanKM Sep 24 '15 at 15:01
  • @CodeHarmonics if you found this as your answer, please mark the answer mark. thanks – ShayanKM Sep 25 '15 at 15:20
  • Yep. Sorry. Just logged in again today. Thanks for pointing out exec() function in PHP. – Erwinstein Sep 25 '15 at 23:32