I have access to an Android tablets' platform key and certificate. I'm attempting to build an app and install it with system level privileges by doing the following:
Create a Java KeyStore file with platform.pk8 and platform.x509.pem using the bash script called platform_import_keystore found on GitHub.
In AndroidManifex.xml add the following:
<uses-permission android:name="android.permission.READ_LOGS"/>
android:sharedUserId="android.uid.system"
Sign APK with PLATFORM key and certificate using a Java KeyStore file in Android Studio.
Install APK
When the app runs, the system denies READ_LOGS permission.
Why isn't my app running with system level permissions?
What #Mark mentions is correct to some extent, for system apps.
I think you are doing something else wrong.
I have tried this with system apps as well, and as long it was signed with the platform keystore, it works. Now this was on Android 8 and Android 9. You haven't mentioned the AOSP version running the device.
That changes things AFAIK, so if it's AOSP 10+, it might behave differently.
Also the other comments are missing another key thing SELinux. SELinux is not permissive for user builds. Verity is enabled, and you cannot have root access. So you cannot push the app into /system/priv-app/ or push it into /vendor/app/.
You cannot access system resources without proper SE Policy files. You can check the logs yourself, to see avc denied messages.
I think overall what you are seeing should be inline with AOSP's security ideals. An app signed with System keys should not be able to get system permissions. It also needs to be located in the correct place, either as a privileged app or vendor app. Such apps need to be whitelisted. There's a built in script in AOSP source to even generate the permissions for whitelisting (it produces the required xml)
There's two classes of system apps, /system/app/ and /system/priv-app/
The privileged apps are the only ones that get signature level permissions, and according to newer versions of android, you need to enable whitelisting in the /system/etc/priv_app-permissions_device_name.
If you make any changes to the system or vendor when verity is enabled, firstly they are mounted read only, but somehow if you do make a change, the device will brick itself. This is the security feature. All custom development needs to be done in userdebug builds with SELinux in permissive mode, and then all the permissions need to be predefined, SE Policies fine tuned to utmost minimal, only then the user build can function normally. User build is not at all suitable for AOSP development activities, even if it's just for testing or trying out a single app.
User build is production type build that the end user can use and is not for development. It's the most secure form of android, so if you have platform keys, it may never be enough.
All that being said, I'm sure you don't have the right keys. Just pull an app from system/priv-app/ and use keytool or similar to check it's signature, and then try to match with your release apk.
It's little complicated as it is, and kind of hard to explain and there are levels of permissions also in android, so if you aren't following a specific approach/path, you will not be able to get it to work.
Related
In my company, we would want total control for battery consumption in the field, using only 2g and gps could drain the battery awfully fast. What we decided is that we need to have root access to the mobile phone, So that when phone is idle, we would turn off those needless battery consumption.
And also we would not allow users to uninstall it and clear data to it.
My Question is :
Where do I get these signature key?
Is it going to like a root access If ever I successfully managed to
sign it?
What is the difference between Root vs Signed with key?
Answering your three questions:
1 - Where do I get these signature key?
From Android's own documentation in the section Release Keys
The Android tree includes test-keys under
build/target/product/security
But the next part is where you should really pay attention
Since the test-keys are publicly known, anybody can sign their own
.apk files with the same keys, which may allow them to replace or
hijack system apps built into your OS image. For this reason it is
critical to sign any publicly released or deployed Android OS image
with a special set of release-keys that only you have access to.
So basically unless you can somehow gain access to manufacturer's pvt keys it might be difficult to achieve this. This is why a user in a previous comment was saying this is usually achieved by producing your own build.
2 - Is it going to like a root access If ever I successfully managed
to sign it?
You will not get "root access" by doing it, but you will get access to an extremely high level of access. Specifically, what this achieves you is that you will be granted permissions with declared android:protectionLevel="signature" which is, arguably, the most exclusive one.
One other dangerous consequence (or fun, depending on how you look at it) of this is that you can now run your app under system user process android:sharedUserId="android.uid.system" - under android's "process sandboxed" security rules this would normally fail.
3 - What is the difference between Root vs Signed with key?
With an app signed with the platform key from your build, you can get the permissions mentioned above, or run your app with UID 1000 (system uid) which in android is much more powerful than the UIDs of other apps because of the permissions it can request, this is a behaviour specific of Android though.
In a rooted device, you can use UID 0 (root) which has the broadest access in linux based systems, you can bypass most of the security sandboxing/checks/fences on the OS.
Hope this helps ;)
Well below is your answer,
You can find platform keys from
HERE. The command to sign apk (for linux) is:
java -jar signapk.jar -w platform.x509.pem platform.pk8 APPLICATION.apk APPLICATION_sign.apk
onward Android 10 lib64 library path need to provided which can be found at android/out/host/linux-x86 after generating a successful build, one can copy folder or simply provide its path to generate sign APK
java -Djava.library.path="<path to lib64>" -jar signapk.jar -w platform.x509.pem platform.pk8
If you sign your apk with platform keys you won't required root access you can simply install it from "adb install" command, and yes in someway it is like root 'cos it can access all internal api but keep in mind if your app is system signed then you can't write external storage.
First of all don't combine both root is user where system app is application type which distinguish from normal application below link might clear your confusion regarding it.
what-is-the-difference-between-android-user-app-with-root-access-and-a-system-ap
For anyone coming to this question and even after reading the comments not being able to make it work, it might be because there're some things missing (specially if getting OPENSSL errors), here's everything you need.
Sign APK with test keys from the AOSP
git clone https://android.googlesource.com/platform/prebuilts/sdk.git - Careful it's ~6GB, or you can download what you need, the signapk.jar file and the libraries.
download the platform.x509.pem and platform.pk8 from https://github.com/aosp-mirror/platform_build/tree/master/target/product/security (or get your own keys corresponding to the image)
With java installed, change the following command with the right paths for the files, the lib64 in the sdk you just cloned, the signapk.jar file, the platform key files and the apk to sign
java -Xmx2048m -Djava.library.path="~/../sdk/tools/linux/lib64" \ # In the cloned sdk
-jar ~/../sdk/tools/lib/signapk.jar \ # In the cloned sdk
platform.x509.pem platform.pk8 \ # The keys for signing (from step 2)
app-prod-release.apk release.apk # The app to sign and the signed app
Which permission an app need to access the file /cache/recovery/last_log?
My app is signed with platform key, so I can provide system permissions. The app will be pre-built into a device, and the device will be non-rooted.
You can only access the cache directory for your app
getApplicationContext().getCacheDir()
Apparantly, you don't need any permission to READ from cache. But you do need permission if you want to write something in cache directory.
Documentation from http://developer.android.com/reference/android/Manifest.permission.html#READ_LOGS on logs:
Allows an application to read the low-level system log files.
Not for use by third-party applications, because Log entries can contain the user's private information.
Constant Value: "android.permission.READ_LOGS"
What do you mean by 'recovery'?
I found the solution some time ago, just posting here to help if someone else have the same problem.
The thing that was blocking me was SELinux. I'm posting the solution to the original question, but be aware that some things changed on Android since that, including the creation of the A/B system, where the recovery and cache partitions where removed from Android.
SELinux
I learned the hard way that one have to deal with SELinux in order to work on the Android source code. The important bits are:
On the device definition (makefiles under the device directory) there will be reference to SELinux policies. In one of the devices I work with I have a makefile that have:
BOARD_SEPOLICY_DIRS += path/to/sepolicy/dir
And on the directory all files with ".te" ending will be used as SEPolicy. I suggest adding a new directory for your custom policies, where you can use your own git repository.
Now you need to know what policies to write. I suggest reading Google's documentation here.
Personally, I first test the app on a userdebug build with SELinux in permissive mode (log only). These way SELinux will only log actions that violates the policies, what makes development substantially easier. Only after I know the app runs with SELinux off I start collecting the logs and set the "enforced" mode.
To collect the SELinux logs of actions that don't met the policies I use:
adb logcat | grep "avc: denied"
There is a tool called audit2allow that reads the logcat output and the device policy and outputs policies that are missing:
adb pull /sys/fs/selinux/policy
adb logcat -b all -d | python2 audit2allow -p policy
The output of the file are policies that can be added to the .te files.
This particular method I used with Android 8.1.
Sign app with platform key
I also had to sign the app with the platform key. For that I edited Android.mk to add:
LOCAL_CERTIFICATE := platform
System UID
Fixing SELinux policy might not be enough for some device. You might need to make the app run with the system user.
You must avoid using these method, because this user have access to some very sensitive device files. If you really need, you can do it by:
Sign the app with platform key;
On the app that will read the recovery, you have to make sure AndroidManifest.xml set android:sharedUserID to "android.uid.system".
<manifest package="my.app.name"
xmlns:android="http://schemas.android.com/apk/res/android"
android:sharedUserId="android.uid.system">
....
</manifest>
Other useful files
Other files of interest to diagnose boot and ota problems are documented here.
This question already has answers here:
Difference between eng and user-debug build in Android
(2 answers)
Closed 4 years ago.
In Android, what is the difference between debug build and production build ? Also are there any other kinds of builds ?
Thanks.
I'm not sure if you are asking about the debug/production app or debug/product framework. So I will cover framework.
There are two different types of android framework build (the entire system image) user (aka production) and userdebug.
All standard device maker release their device with "user" build. Userdebug is meant for development and typically only built for in-house use.
Getting root:
In userdebug build you can simply do "adb root" to switch your adb shell to root mode. In addition, you can also do "adb remount" to remount the system partition to writeable mode for further control.
In user build, you can gain root access by installing special su binary and corresponding controlling app (like supersu). This way, while in adb shell, you can use "su" to gain a privileged shell. It is not as convenient as userdebug build.
In AOSP, you can choose the build type via the lunch command. For example
lunch aosp_hammerhead-userdebug
vs
lunch aosp_hammerhead-user
Well, the three little pigs had 3 types of builds but most of those didn't work out so well.
Anyway, you should see the docs here. When you build your app in the IDE you get a debug key and this is different than a production key. Having a debug build keeps you from needing to enter credentials each time but you obviously would want this prompt when you are ready to release a production build.
I guess this is what you are talking about but if you have something else in mind then please elaborate.
There is no difference between the two builds. The production build will run the same as the debug build with some limited exceptions. The limited exceptions relate to features that are signature dependent, i.e. they require you to register either the debug or production key to work properly. This would include most API's, like GoogleMaps or Facebook, and anything else that uses your build key to generate a unique identifier (think most OAuth2 products).
Your question is confusing/vague because in reality there is no difference in the two builds. Both will run exactly the same code. The difference is in who can run them and how you can run them. All android applications are signed when they are built by a unique key. This key identifies the app creator and is useful, in production, to ensure that the developer is not sending crap malware to those on the Google Play Store (or at least if they are we know where to find them).
Builds created in debug mode are signed with a debug key that is localized to a specific machine. This means if I build an app in debug mode to install to my phone, and another developer sitting right next to me builds the exact same code base to run on his phone our two applications will be signed with different debug keys. Why does this matter? Well, going back to the API registration process mentioned above, if I create our company wide Google Maps API registration using my debug key (bad idea) when my friend sitting next to me builds the app in debug mode on his machine he will encounter an error. The problem is that access to the Google Maps API is dependent on having an app installed that is registered with the right key. Because our two keys are different his app will not load properly.
Release/production mode allows you to sign the app is one universal key, not tied to a specific machine. This avoids the problem mentioned above. By using one key for all instals, every app will be able to access the same API's, so long as you register for them with your production key. This production key is not machine specific. You can send it to your friends (please don't) so they can sign apps as you.
That's pretty much it. You can read more about building and running apps here. If you have a more specific question please clarify.
What I should to do to create a system app (to obtain rights to use android:sharedUserId="android.uid.system"in manifest file without receiving an error from package manager about certification problem?
I use rooted phone with stock firmware.
Ok, I think that I find sollution from great xda developers: http://forum.xda-developers.com/showthread.php?t=1776095 here is full description how to obtain access to apps signed by platform keys.
Do you apply with this approach?
PS it is interesting that users from stack instead of investigating hard problem immediately say that you can not solve it, then reduce novice user's reputation...
What I should to do to create a system app
There are two types of system apps:
Apps installed on the system partition, which can be accomplished by users with root privileges
Apps signed by the same signing key that signed the firmware
to obtain rights to use android:sharedUserId="android.uid.system"
That definitely would require your app to be signed by the same signing key that signed the firmware. That's true for any android:sharedUserId.
But some guys edit stock apps, prepare zip file which user can update system apps by recovery.
You are welcome to provide any evidence that what they do somehow involves android:sharedUserId="android.uid.system".
A system app must be signed with the platform key. This is done by developers deploying an android platform on their own device, or mobile carriers.
If that is your case, the easiest way is to add this to your Android.mk:
LOCAL_CERTIFICATE := platform
LOCAL_PRIVILEGED_MODULE := true
or this to your Android.bp:
certificate: "platform",
privileged: true,
If you add those lines without adding android:sharedUserId="android.uid.system" to your manifest, you will be a platform_app. A system app is more privileged than a platform app. That uses the platform key and runs as the system user.
If you are not the platform vendor, the platform vendor would need to sign your application using their platform key. Some vendors, including my company, will do this for 3rd parties demonstrating a valid reason for doing so.
Without the signature, your application can only be used on rooted devices.
I did not need to sign my app with the firmware signature! I have a rooted device. Therefore I can grant myself rights to write to certain directories using adb.
I moved my app to /system/priv-app instead of /system/app using those steps: Push my apk to /system/app
Now, I can access system permissions like android.permission.SHUTDOWN
There is two types of system apps.
Type 1: The App which is in the same signature of the Device ROM .
Type 2: The Signed app which is in system/priv-app ( Might differ based on adnroid version ) in your device storage location .
Visit this link -> http://www.archive.ricston.com/blog/explaining-behavior-android-application-system-apps-nonsystem-apps/
I am building an app that will be bundled on an android device as a system app. The manufacturer is a ways out on delivering the device to us, so in the meantime I'd like to grant my app system level permissions in the emulator so I can work on an auto update feature that will do silent installs of APKs without any interactions from the user. From what I've read, its my understanding that the only way to be able to do silent installs on android is if your app is signed with the same cert as the OS. So how can I simulate this in the emulator?
If you want a signatureOrSystem permission, you just need to be placed on the system image; you don't need to be signed with any special cert. You can do this as a one-off (until you exit the emulator) like this:
> adb root
> adb remount
> adb push /path/to/My.apk /system/app/My.apk
Once you have done that, you can use the normal process to install further updates on the data partition ("adb install -r /path/to/My.apk" which is what the developer tools do when you run from Eclipse). When installing this way, the app retains any signatureOrSystem permissions it had requested from the original version on the system image, but can not gain any new such permissions.
If you need pure signature permissions, you need to sign your app with the same cert as whatever is declaring those permissions (typically the core framework, but the media system is a separate cert etc). If you are requesting signature permissions you don't need to be installed on the system image, you can just install it as a normal app and it can still get the permissions because of the signing.
As far as I can tell, you need to:
download the Android source and build an emulator firmware image.
sign your application with the keys in the Android source tree at /build/target/product/security/.
add android:sharedUserId="android.uid.system" to your application's manifest.
run your application on an emulator using the image built in step 1.
The reason for having to build your own firmware image is so that you can get at the keys. Now, it might be possible that the keys for the standard emulator image are available somewhere, which will save you the long and exceedingly tedious process of building your own Android, but I'm afraid I have no idea where these might be.
Disclaimer: never tried this myself.