I would like to share apk file to client. but through mail i don't think it's safe. Is there any other way to share apk file to others?
and what are the steps we have to follow while sharing apk file for safety purpose
You can upload your apk to Google Drive, right click file on Google Drive -> share this file to your client. Then after your client download successfully, you can delete this file from your Google Drive for safe. Hope it help you.
I'd go with encrypting the file:
Zip the file using a strong password (replace the {PASSWORD} argument with it)
tar cpvf app.tar app.apk
7z a -p {PASSWORD} -mx=9 -mhe -t7z app.7z app.tar
Use ECDH for the key (password) exchange (for example use RSA)
Send the file however you want
For decryption use:
7z x test.7z
Related
In Huawei App Gallery I have to update an existing aab application. Site redirects me to App signing page and there are steps that I have to follow in order to sign the app successfully. These are the steps provided:
Obtain the pepk.jar file from the Internet or another legitimate source.
Export and encrypt your private key and public key certificate into a ZIP file. Parameters in bold must be replaced as needed. Then, enter your data storage location and key password as prompted.
java -jar pepk.jar --keystore test.jks --alias test --output=output.zip --encryptionkey=<some_encryption_key> --include-cert
Upload the ZIP file containing the private key and public key certificate. (The ZIP file contains only certificate.pem and encryptedPrivateKey.)
Now I have 2 problems.
First one is, when I run the code in 2nd step in CMD. I get include-cert flag is not provided error. However when I write --include-cert=certificate.pem or --include-cert certificate.pem it says flag is unrecognized.
Second one is, I put certificate.pem and private key to folder and then turn it into ZIP. But when I click on submit it gives me Make sure the package contains only the certificate.pem and encryptedPrivateKey files error. Is not encryptedPrivateKey is the file that is exported by AndroidStudio when you generate an app bundle or Apk into the same location with .pepk extension?
I don't know what am I missing in order to sign my application. Any help would be appreciated, thanks in advance
If "No value provided for flag: include-cert" is displayed, the pepk.jar file is incorrect. You need to replace it with a correct one.
https://developer.huawei.com/consumer/en/doc/development/AppGallery-connect-Guides/agc-appsigning-faq-0000001052944432
I get include-cert flag is not provided error. However when I write --include-cert=certificate.pem or --include-cert certificate.pem it says flag is unrecognized.
It is recommended that you do not change the command and follow the commands in the document.
You could click here to try out.
And this is the App Signing Operation Guide video for reference.
So I just posted an app about 15 days before and now I want to upload a new update but while generating the Signed Apk Android studio is asking me for key store credentials... and I read that I have to provide the same credentials that I used on first submission (I did not remember anything about that)
Somehow I managed to get an backup of keystore.store file (which is stored at my project's directory inside a folder named KEY_STORE ) now when I'm putting the suspected alias and passwords I'm getting this error :
Failed to read key from myalias from store /mypath/for/keystore cannot recover key
Now what I can do to get back my credentials ???
You can't recover credentials.
The only way to do this is to try a tool like
http://maxcamillo.github.io/android-keystore-password-recover/
I've never use it.
I think it will try to brute force your credentials.
UPDATE:
I've tested it and it works.
Go to
http://maxcamillo.github.io/android-keystore-password-recover/
Add java files download from the url to a new Java Project (ex. using ItelliJ IDEA)
Add the keystore file to the root of the project
Add this option to program args in this way
-m 1 -k keystorefilename
Run the program
Alternatively, run the jar download from the url and use the same args.
Sorry bro, no way to recover now, you have to have the correct credentials. All you can do is publish a new application in the same name.
My .key file like:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1j6eGXbHpqigZ1K//wnuyr5v/L2jFm7dzTtHJx8ZoMQ4CbsG
My .pem file like:
-----BEGIN CERTIFICATE-----
MIIE4zCCA8ugAwIBAgIDBOziMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
I don't know how many steps of authenticate at here. I only want to create a ssl socket to an IP and port, and send/receive data in that socket.
I tried to use keystock, but perhaps I don't understand deep about it, I always get wrong.
Please give me a guide, or sample code.
Thanks so much.
I assume that the .key and .pem file represents your client certificate you have to use for performing an HTTPS client authentication. Unfortunately Java/Android prefers a different format, therefore I recommend you to import both file into a BKS file.
Creating a BKS file and importing existing .key+.pem file is very simple using KeyStore Explorer. After starting KeyStore Explorer select File -> New Keystore -> BKSv1. Afterwards you can execute Tools -> Import Key Pair and select the .pem file. Afterwards KeyStore Explorer will ask you for selecting the .key file.
Finally save the key store protected with a password of your choice.
The created BKSv1 file can now be used in your Android app. See for example the code posted in this question: Using client/server certificates for two way authentication SSL socket on Android
When creating a SSL connection, you just need the socket to allow the connection with your server, enabling it as a trusted source. To do so, you need to have your SSL certificate in X509 format and then create your connection as stated in this article.
Here's a guide on generating X.509 certificates.
I have developed an application,but when my client tries to download the application from the url provided using Samsung GT19003,it is downloading as .zip file and on click of that it says could not open the file error.Whereas it downloads as .apk and works good in our devices.Please help me as how can i resolve the issue.
Make sure that you have set the http Content-Type to application/vnd.android.package-archive
This let the chrome know that it is an application not a zip.
A simple solution is to add the below line in /etc/mime.types
application/vnd.android.package-archive apk
And restart your apache.
This will force browsers to download files as "apk" and not append "zip" to it.
if its being downloaded as .zip
You or your client can use File Expert application to unzip this .zip file it must show .apk file in the unzip folder
give a direct apk link to your user either he/she use default browser to download or use some other like opera and if it is .apk file link then it must be downloaded as is.
you may be using some content site which zip file on particular download methods please ensure it for direct .apk link.
EDIT 1:
Last but not the least .apk is just a zip file so this is not an issue just rename it(From .Zip to .apk) if you could and i hope it will solve the problem
In my case also the issue was same as #alireza-fattahi mentioned regarding the header.
Sharing this here because in our case the file was in Azure Storage and accessed by a CDN in case anyone has the same issue.
Fix for Azure Sorage and CDN
By default the APK blob that was uploaded had content type of application/zip and the same content type reflected in the reposnse header causing the downloaded file to get a .zip extension on Android OS when download was finished.
I had to set a custom rule in the storage CDN to overwrite content-type header in the response to application/vnd.android.package-archive
Remember to purge the CDN cache after you set the new rule
Read more about Azure CDN rules engine.
Here is the Example :
// set your download apk path here
$path= public_path(). "/upload/apk/Ninja11.apk";
//Set header here like this
$headers = [
'Content-Type'=>'application/vnd.android.package-archive',
'Content-Disposition'=> 'attachment; filename="ninja-release.apk"',
];
return response()->file($path , $headers);
This is Laravel framework code but in the same way, you can use in other frameworks. Simply you need to set the Content type
Note : This is not Android side issues
This is not a question about how to sign an .apk file. I want to know what does signing actually means and how it is implemented.
Inside the .apk file there is META-INF folder and inside that there are two files.
First one is CERT.SF contains SHA1 hashes for various components and looks like this:
Name: res/layout/main.xml
SHA1-Digest: Cox/T8fN1X9Hv4VqjH9YKqc/MsM=
Name: AndroidManifest.xml
SHA1-Digest: wZ418H9Aix1LNch3ci7c+cHyuZc=
Name: resources.arsc
SHA1-Digest: P+uoRrpFyVW6P3Wf+4vuR2ZSuXY=
Name: classes.dex
SHA1-Digest: cN3zXtGii9zuTOkBqDTLymeMZQI=
There is also a file called CERT.RSA. I assume it is the public key to verify the signature.
My question is, where is the signature for the whole .apk file is stored? And what is actually signed? It could be either
.apk file used as a single binary object and this is signed
or CERT.SF is signed which contains individual hashes for different components
It would be also much better if you can point me to the documentation of the detailed signing and verification process.
Indeed this is not a specific Android question but a Java-in-general question however I post an answer anyway...
First of all: Only the XXX.SF file is signed; this means that all the files mentioned in the XXX.SF file are signed "indirectly" because XXX.SF contains their hashes. In fact all files not located in "Meta-Inf" should have hashes there! The whole .apk archive is not signed.
The XXX.SF file is more or less a copy of the MANIFEST.MF file. There is a line "SHA1-Digest-Manifest" which is the SHA-1 hash of "MANIFEST.MF" itself; the "SHA1-Digest" lines do not contain the hashes of the files but the hashes of the tree corresponding lines in the Manifest.MF file just like this:
SHA1("Name: filename"+CR+LF+"SHA1-Digest: "+SHA1(file_content)+CR+LF+CR+LF)
The file format of XXX.DSA/.RSA is the same as for an S/MIME email signature (for the content of XXX.SF) however the data is not base64 encoded and no header/trailer lines are used. "openssl smime -sign -outform DER" would create this format.
Multiple certificates can be used to sign a ZIP file. In this case multiple pairs of (XXX.SF/.RSA, YYY.SF/.RSA, ...) will exist.
This actually has nothing to do with Android. APK files are signed using jarsigner. Here is a link to the manpage.