Android apps make use of the key-pair mechanism to authenticate. The general idea of the key-pair mechanism is as follows:
Compared to a single-key mechanism, the key-pair mechanism has some interesting advantages. Because content “locked” by one key can only be deciphered by the other one, one key (let us randomly pick K1) can be designated as the private key, and the other key be designated as the public key.
A private key, as the name implies, needs to remain private. A public key can be published to the entire world.
A key-pair addresses two major concerns in computer security. The first concern is content encryption. Content encryption makes sure content is only available to the intended recipient. For content encryption, the sender encrypts content to be transmitted using the public-key of the recipient. Upon reception, the recipient uses the recipient private key to decipher the content. The encrypted content can be published to the world safely (assuming the key-pair mechanism is safe!) because supposedly, only the recipient has the necessary private key to unlock it. To the rest of the world, the encrypted content is no more than a random sequence of bits.
The second concern is authentication. Authentication is different from content transmission because it is a mechanism not to ensure privacy, but to ensure identity, “you are who you claim to be,” over the Internet.
Basic authentication involves the computation of a signature of the content to be authenticated (where the origin of the content needs to be verified). The algorithm to compute a signature is often open because there is no secret in the signature iself. Even MD5 hash can be used. The purpose of a signature is to generate a fixed bit-length digest from any content that has a very small probability of collision (being the same as other contents).
The signature is then encrypted using the private key of the sender. The encrypted signature is transmitted or included with the content. Note that the content itself can also be encrypted as described earlier, but that is optional. When a recipient receives the content and the encrypted signature, the recipient re-computes the signature using the associated open algorithm. The recipient also uses the public key of the sender to decipher the encrypted-transmitted/included signature. If the deciphered signature matches the computed signature, then authenticity is established.
This basic authenication has one flaw: anyone can generate a key-pair. Any person can generate a key-pair, publish the public-key, and claim to be an established financial institution. This is because the key-pair mechanism is only ensuring the sender is the party with the private-key corresponding to the public-key used to encrypt the signature, but not the claimed identity of the sender in the public certificate (that includes the public key).
To remedy this potential issue, the Internet designates certain organizations as “certificate authorities” (CAs). A trusted CA has to go through a rigorous process to become trusted. In the context of Android apps, the only CA is Google itself.
With the concept of a CA, then a certificate is signed by a CA only if the identity of a web site is verified. This typically means the CA uses nslookup and other mechanisms to check that the requester does, in fact, have ownership of the web site mentioned in a certificate.
Android APK files can include a certificate file that includes the claimed identity of the developer, a public key, and misc. information. What is interesting is that Android allows these certificates to the self signed.
In the end, a signed Android app only ensures apps from the same developer have the same user ID in Linux (the underlying OS of Android). Details of an APK file can be viewed using the following command:
By default, most Android devices are configured to disable installation of untrusted apps (from unknown sources). This means that apps can only be installed via Google Play. Although this feature does not cure the problem of a self-signed app (anyone can claim to be a major financial institution, for example), it does make sure Google has a way to track down the developer account that pushed the app to the Play Store.