I'm trying to make a system app work. Here's what I have:
An OEM OMAP platform with full 4.4.2 source code. I've built the system and loaded on my platform using Ubuntu 14.04. That all works.
Now, there is an app from the OEM which directly accesses the hardware (DSP, I2C, UART) etc. The original APK that came from the OEM works on my platform.
I built the exact same app using make command (not using Eclipse); It builds and I can install on the platform. But when I try to launch the app, it gets stuck in an eternal wait state.
I am not sure, but I suspect my locally built app tries to initialize a hardware component on the board and then gets blocked there.
I've been reading articles all over, and seems like it has something to do with the app signing and certificate. I think the general idea is the app needs to be signed with the same certificate with the system itself. I thought, since I built both the app and the system on the same machine using same commands, they would have a same certificate.
If it helps, the manifest file has this line:
android:sharedUserId="android.uid.system"
And the project make file Android.mk has this line:
LOCAL_CERTIFICATE := platform
Can anyone show me how can I make the app work? I am not sure, seems like I have to rebuild the app with proper certificates so that it can access all the hardware resources.
Thanks.
Check signing system apk.
Optionally:
You need to create a keystore file by using keytool-importkeypair which you can find here.
Go into the: build/target/product/security/ directory in your platform source tree (source codes related to your Android version and vendor).
You will find platform.pk8 and platform.x509.pem files.
Create keystore file by using this example command:
keytool-importkeypair -k ~/.android/debug.keystore -p android -pk8 platform.pk8 -cert platform.x509.pem -alias platform
You can use this keystore file to sign your apk which will have system permissions afterwards.
Related
The context of my issue is the following:
I build AOSP for our hardware device on Linux
Together with the system, I build an APK as a system application
Everything works fine in this setup when I flesh it together with system image
However, I would like to have this application build separated from the AOSP build and be able to build it standalone and install from Windows.
On windows, I am trying to build it with Gradle
And the problem arises when I try to push the build to the device the following way:
adb install -r my_app.apk
adb: failed to install my_app.apk: Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Package <...> signatures do not match the previously installed version; ignoring!]
Obviously the error means that I am missing a platform signature in the application, but where to take it from the AOSP build and how to sign it with Gradle build is not so clear.
Also here I found an advice to uninstall the system app first before installing. Unfortunately, for my case it does not help, the error is still the same even I uninstall it first.
I already spend quite some time on this, searching in the Android make-files for the signing script, but it seems to be not that straight forward there.
Any help would be highly appreciated...
Create a keystore from platform.x509.pem and platform.pk8 files located in build/target/product/security. Then use that with gradle.
See this answer for how to do the conversion: https://stackoverflow.com/a/22214826/3801327
Note: Don't use the default keys included with AOSP, everyone has those, and would be able to make their app a system app in your platform. Generate your own keys.
In my company, we would want total control for battery consumption in the field, using only 2g and gps could drain the battery awfully fast. What we decided is that we need to have root access to the mobile phone, So that when phone is idle, we would turn off those needless battery consumption.
And also we would not allow users to uninstall it and clear data to it.
My Question is :
Where do I get these signature key?
Is it going to like a root access If ever I successfully managed to
sign it?
What is the difference between Root vs Signed with key?
Answering your three questions:
1 - Where do I get these signature key?
From Android's own documentation in the section Release Keys
The Android tree includes test-keys under
build/target/product/security
But the next part is where you should really pay attention
Since the test-keys are publicly known, anybody can sign their own
.apk files with the same keys, which may allow them to replace or
hijack system apps built into your OS image. For this reason it is
critical to sign any publicly released or deployed Android OS image
with a special set of release-keys that only you have access to.
So basically unless you can somehow gain access to manufacturer's pvt keys it might be difficult to achieve this. This is why a user in a previous comment was saying this is usually achieved by producing your own build.
2 - Is it going to like a root access If ever I successfully managed
to sign it?
You will not get "root access" by doing it, but you will get access to an extremely high level of access. Specifically, what this achieves you is that you will be granted permissions with declared android:protectionLevel="signature" which is, arguably, the most exclusive one.
One other dangerous consequence (or fun, depending on how you look at it) of this is that you can now run your app under system user process android:sharedUserId="android.uid.system" - under android's "process sandboxed" security rules this would normally fail.
3 - What is the difference between Root vs Signed with key?
With an app signed with the platform key from your build, you can get the permissions mentioned above, or run your app with UID 1000 (system uid) which in android is much more powerful than the UIDs of other apps because of the permissions it can request, this is a behaviour specific of Android though.
In a rooted device, you can use UID 0 (root) which has the broadest access in linux based systems, you can bypass most of the security sandboxing/checks/fences on the OS.
Hope this helps ;)
Well below is your answer,
You can find platform keys from
HERE. The command to sign apk (for linux) is:
java -jar signapk.jar -w platform.x509.pem platform.pk8 APPLICATION.apk APPLICATION_sign.apk
onward Android 10 lib64 library path need to provided which can be found at android/out/host/linux-x86 after generating a successful build, one can copy folder or simply provide its path to generate sign APK
java -Djava.library.path="<path to lib64>" -jar signapk.jar -w platform.x509.pem platform.pk8
If you sign your apk with platform keys you won't required root access you can simply install it from "adb install" command, and yes in someway it is like root 'cos it can access all internal api but keep in mind if your app is system signed then you can't write external storage.
First of all don't combine both root is user where system app is application type which distinguish from normal application below link might clear your confusion regarding it.
what-is-the-difference-between-android-user-app-with-root-access-and-a-system-ap
For anyone coming to this question and even after reading the comments not being able to make it work, it might be because there're some things missing (specially if getting OPENSSL errors), here's everything you need.
Sign APK with test keys from the AOSP
git clone https://android.googlesource.com/platform/prebuilts/sdk.git - Careful it's ~6GB, or you can download what you need, the signapk.jar file and the libraries.
download the platform.x509.pem and platform.pk8 from https://github.com/aosp-mirror/platform_build/tree/master/target/product/security (or get your own keys corresponding to the image)
With java installed, change the following command with the right paths for the files, the lib64 in the sdk you just cloned, the signapk.jar file, the platform key files and the apk to sign
java -Xmx2048m -Djava.library.path="~/../sdk/tools/linux/lib64" \ # In the cloned sdk
-jar ~/../sdk/tools/lib/signapk.jar \ # In the cloned sdk
platform.x509.pem platform.pk8 \ # The keys for signing (from step 2)
app-prod-release.apk release.apk # The app to sign and the signed app
I need to build a web environment which creates signed Android .apk files from a given Android application source code. How can I get this? The web environment will be running on a Linux machine.
I was thinking on a Linux shell script which builds signed .apk file. However, I've read some information about Apache Ant but I don't understand exactly its purpose and if it could do the trick.
I am working on an automatic app updating solution for devices (LG p509 - Optimus 1) which we deploy to our customers. We have control of these devices and currently install a custom kernel on them (but not a full custom ROM). Since we are trying to do auto-updating of our app on the device, we need the system to be signed by a key which we control so we can sign our apps with the same key (to get the INSTALL_PACKAGES permission).
I have been having a few issues running AOSP builds on the device (using the LG released source for the device), and am trying to take a step back and evaluate our options. I have a few questions:
Is it viable to just pull the system.img off the phone and resign the contents? If so, where is the system apk located? I poked through the PackageManager source and it uses a systempackage (seemingly called "android") to compare apps with to see if they are allowed to have system permissions.
Has anyone here created a custom ROM for the device that could offer some advice on how just get our signature be the system signature?
Any insight would be appreciated.
Ok, so we figured it out. I am not going to go into full detail (too much writing), but here is the basic gist for anyone who stumbles on this:
If you want change the key which the system is signed with, you need to do the following steps:
Extract /system/ dir from the running phone
Inspect the .apk files (from /system/app and /system/framework) to figure out which ones are signed by the same key as the framework-res.apk. I used a modified version of the script linked here to figure out which APKs to sign.
If the APKs in /system/app which share the signing key with framework-res.apk are odexed, you need to de-odex them.
resign the APKs and the framework-res.apk and pack them in an update.zip (google how to do that).
On my specific device I had to resign both /system/framework/framework-res.apk and /system/framework/lge-res.apk from /system/framework and also had to de-odex and sign 20 .apks from the /system/app folder in order to get everything running smoothly.
The "system apk" is /system/framework/framework.jar. I've never tried to re-sign the system image but I've written code which was part of the system image (not within a normal apk project) and it became part of this jar. There are additional jars in this directory which may need to be re-signed also.
The signature is created randomly and placed in two files in your build environment, build/target/product/security/platform.pk8 and build/target/product/security/platform.x509.pem. I don't know how to extract these from a normal key store, however I've been able to copy them from one firmware build to another to ensure that both images had the same platform key. Also, I've been able to change the signature of APKs with this command: java -jar signapk.jar platform.x509.pem platform.pk8 Old.apk New.apk. You'll find signapk.jar in your build, at out/host/linux-x86/framework/signapk.jar
I have already published 5 updates for my application without any problems. Now, when trying to install an update for testing purposes the installation fails. Through the regular Android package installer I get the error "Application not installed."
When trying to install the application through adb I get the error:
[INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES]
I know for a fact that the certificate is the same one I've used to sign the app before.
I have also incremented the versionName and versionCode accordingly in the Manifest file.
The only thing that has changed since my last update is that my hard drive crapped-out on me, which led to re-installing eclipse, ADT, Android SDK, and Java. I basically had to set up the entire development environment again after the crash.
Everything, including all of my project files, were backed-up. I can build my application just fine.
Installation works if I uninstall the previous version first, but this is an update for an app that I currently have published. I can't ask the users to uninstall whatever version they currently are using to take an update. That sounds silly.
Any ideas would be helpful.
I think you need double confirm whether you use the same certificate or not since we ran into the same scenarios many many times and the root causes are always the same: the certificate changes.
you could simply unzip the .apk file since it is just a regular ZIP package and then locate the file META-INF/CERT.RSA. the CERT.RSA should NOT be changed in all your .APK files. to confirm, decrpt it as following:
openssl pkcs7 -inform des -in CERT.RSA -out decrypted.txt -print_certs -text
and you could simply run diff on the .txt files.