Re-sign an Android APK Manually for an application

This tutorial is going to look at how you can manually re-sign an Android APK for an application on your device.

Need: white label product

A white label product is a product or service produced by one company (the producer) that other companies (the marketers) rebrand to make it appear as if they had made it.

White label goods and services have been around for decades. In every industry you could imagine, businesses create products which are rebranded by their partners to sell as their own.

The technology industry, and the app sector in particular, is no exception. As consumers go mobile in their tens of millions, digital agencies and entrepreneurs are rushing to catch up, and cash in.

So, you ask the service provider to create a white labelled app for your company. Then, you have the APK file sent to you…you try to upload the file to your company’s Developer console and…and…the upload failed! You scratch your head and wonder why…! Anything wrong with the APK?

The short answer is NO. The possible reason could be signing identities…The APK is modified as per your requirements but, has the signing signature of provider’s enterprise certs. Google won’t allow you to upload the app to the Store due to signature conflicts.

Next…you might wonder – do I have to share my enterprise certs with the client and hence compromise on safety? The Security Team is definitely not going to like that approach.

Well, relax. There is another safe way – You will have to re-sign the APK to add your certs without even knowing the code.

Things needed:

  1. Android SDK
  2. APK file as-is
  3. Your enterprise .keystore file along with its alias name and password.

Preparing your app for Re-signing / Remove previous signing

Open up the .apk file in an archive manager and delete the entire META-INF directory with all of its contents.

Ensure that the archive is saved upon closing it back up and keep the file extension as a .apk.

  1. Change the extension of your .apk to .zip.
  2. Open and delete the folder META-INF
  3. cd to the folder containing the Manifest file and run zip command

Command:

zip -r [filename] [path-to- folder-that- needs-to- be-zipped]

Example:

zip -r Android_SignatureRemoved.apk *
where:

Android_SignatureRemoved.apk is name of the file that will be generated. You can specify any name you want. Do not forget append extension.

* represents that you have to zip-package all the contents into a file with apk name mentioned above.

Signing for release.keystore

Note: Get the key-store file from the Android project and copy it into your working directory. Make sure you have the password handy.

Command:

jarsigner –verbose –keystore [keystorefile] –signedjar [unalignedapk] [originalapk] alias_name

Example:

jarsigner -verbose -keystore release.keystore -signedjar Android_SignatureRemoved_unaligned.apk Android_SignatureRemoved.apk release

Aligning

Command:

zipalign -v 4 [unalignedapk] [releaseapk]

Example:

zipalign -v 4 Android_SignatureRemoved_unaligned.apk Android_SignatureRemoved_release.apk

This is it!

Now you have the re-signed release APK with valid certs and it is good to be uploaded to the Playstore!

Advertisement

Google Matched Content...