37

I need to view who signed the application I have installed onto my device. Is this generally possible to do on the device or on PC?

Alexei Tymchenko
  • 373
  • 1
  • 3
  • 4
  • Well, not every app has About page, right? Besides, being the developer of the app I may write anything on About page, which may not match the information in the certificate I used to sign the app... – Alexei Tymchenko Dec 01 '10 at 12:38
  • 1
    On Android, you can use PackageManager to enumerate all apps and get the X509 signing certificate, see [link] http://stackoverflow.com/a/16305427/2225646. There is also a free app in Google Play: Indenile Signature. – Yojimbo Feb 27 '17 at 18:44

2 Answers2

59

(assuming you can obtain access to the raw apk file - which you usually can, if you know or make an educated guess of its name and location, even though you can't list the contents of /data on a non-rooted phone)

You could open the apk as a zip file and filter the ascii text from the binary content of META-INF/CERT.RSA

Or using an actual tool,

jarsigner -verify -certs -verbose some_application.apk

Of course the only way to verify that the signer is who they claim to be is to get something else signed with the same key from that party via direct or verified means and compare the signing key fingerprints - that is how Android itself verifies that app upgrades and app ID sharing come from the same party as the existing APK they target.

chrki
  • 5,626
  • 6
  • 28
  • 51
Chris Stratton
  • 38,489
  • 6
  • 80
  • 115
  • Thanks for the hint! Maybe you also know how to achieve the same goal using only the device? My identity may be important for end-users of my application, but they are usually too lazy to perform manipulations on PC.... – Alexei Tymchenko Dec 02 '10 at 14:59
  • 2
    I would not be surprised if jarsigner is implemented in java, so you could probably port it to android. However, the first suggestion of extracting the ascii text by filtering out the unprintables may be simpler. But if this is your application, what's the point? If the user trusts your code to extract the signer information then they'd presumably trust your about screen too. Also note that extracting the signer information doesn't prove that this entity really signed it, you'd have to prove that the used certificate was really theirs. – Chris Stratton Dec 02 '10 at 21:35
  • Running jarsigner on an apk released by Google (apparently) gives (lots of) these messages: `X.509, CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US [certificate is valid from 22-08-08 01:13 to 08-01-36 00:13] [CertPath not validated: Path does not chain with any of the trust anchors]`. How do I get hold of the Google certificate to validate that they were really the signer. (I think it is relevant to add to this reply but let me know if you would like me to post a separate question.) – mgd May 13 '15 at 14:06
6

From Getting certificate details from an apk, you can use the following command

openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text

Community
  • 1
  • 1
user2645905
  • 63
  • 1
  • 4