First extract the contents of the APK. This is easy since an APK is essentially a ZIP archive. If you don't know any better way, you can always rename the APK to a ZIP extension and extract it's contents the same way you'd extract a ZIP. On a Unix/Linux box you can use
unzip
:
mkdir Example
cd Example
unzip ../Example.apk
APK files used to contain a self-signed certificate and a signature list of most included files. Both are in the
META-INF
subdirectory of the package.
To print out the contents of the certificate you can use
openssl
:
openssl pkcs7 -inform DER -in META-INF/CERT.RSA -noout -print_certs -text
Or
keytool
from the Oracle JDK:
keytool -printcert -file META-INF/CERT.RSA
To verify each signature in the package, use
jarsigner
from the Oracle JDK:
jarsigner -verify -certs -verbose ../Example.apk
Or to dump the certificates from all APKs in a directory tree (the following code prints path, app label and certificates):
aapt_bin="$(which aapt)"
[ -n "$aapt_bin" -a -x "$aapt_bin" ] && find . -type f -iname '*.apk' -print0 | while IFS="" read -r -d "" j; do IFS="$(printf '\nX')"; IFS="${IFS%X}"; label="$("$aapt_bin" d badging "$j" | grep '^application:' | cut -d\' -f2)"; for f in $(jar tf "$j" | egrep '^META-INF/.*\.[DR]SA$'); do echo "********** ${j}${label:+: $label} **********"; unzip -cqq "$j" "$f" | openssl pkcs7 -inform DER -noout -print_certs -text; done; done
You can get some further insight by reading Chris Stratton's answer to
this question.
Recent comments
2 years 25 weeks ago
3 years 46 weeks ago
3 years 47 weeks ago
3 years 48 weeks ago
3 years 49 weeks ago
4 years 4 weeks ago
4 years 4 weeks ago
4 years 4 weeks ago
4 years 4 weeks ago
4 years 5 weeks ago