All APKS must be digitally signed with a certificate to be installed. There are two schemes.

V1 Jar Signing Scheme

• All files signed with a common certificate
• Not all of the file is signed
• Lots of untrusted data structures must be processed and then discarded if not covered by signatures
• Larger attack surface

APK Signature Scheme

• Whole file is signed
• APK signing block is inserted into APK before the Zip Central Directory

Generating a certificate

Keytool is located in Android Studio/JRE/Bin

keytool -genkey -v keystore key.keystore -alias aliasname -keyalg RSA -keysize 2048 -validity 73000 -storepass password

Signing an Application

• APKSigner included in Android SDK build-tools directory
• JarSigner in AndroidStudio/JRE/Bin

apksigner sign -out app.apk -ks keystore.jks unsigned.apk

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore keystore app.apk alias

Zip Align

https://developer.android.com/studio/command-line/zipalign

zipaligner within the build-tools directory of the Android SDK optimises APK files. You must use zipalign before signing the application with apksigner and after signing with jarsigner

zipalign -f -v 4 app.apk outapp.apk

Which signing scheme has been used?

Use apksigner to verify if an app has been signed and by which scheme:

apksinger verify --verbose app.apk