Signing my android application as system app

Asked 2/6, 2016 at 8:15 Answered 14/9, 2020 at 22:40

In my company, we would want total control for battery consumption in the field, using only 2g and gps could drain the battery awfully fast. What we decided is that we need to have root access to the mobile phone, So that when phone is idle, we would turn off those needless battery consumption. And also we would not allow users to uninstall it and clear data to it.

My Question is :

Where do I get these signature key?
Is it going to like a root access If ever I successfully managed to sign it?
What is the difference between Root vs Signed with key?

Caritacaritas answered 2/6, 2016 at 8:15 Comment(7)

You can only sign your application like a system app if you are building Android from source for your project. – Deepfreeze 2/6, 2016 at 8:19

@VíctorSantoja I doubt that its the only possible way, I have been searching these problems entire week but what i found was intriguing. I think we can sign thru manufeacturer keys. https://mcmap.net/q/375858/-how-sign-my-app-as-quot-system-application-quot-android – Caritacaritas 2/6, 2016 at 10:8

I know that if you sign the apk with de manufacturer keys, it's possible but you cann't publish this apk in Google Play – Deepfreeze 2/6, 2016 at 10:14

@VíctorSantoja why not? its the same apk but different keys signed, ill just add application depending on different manufacturers (correct me if im wrong). anyway how do i ask asus manufacturer. Ive been thru their website, cant post. but im emailing them now – Caritacaritas 2/6, 2016 at 10:31

The AOSP signing keys are blocked in play store, FWIK. So if you sign your app with that key it won't publish on play store. – Elery 14/6, 2021 at 7:15

In case we deal with manufacturing, do we need to sign our app with OS sign? could manufacturer put our app in system apps with another sign? – Randolph 8/11, 2021 at 19:50

Why would they need to put it in the app store. Can't they just install it directly on the device or provision through device manager? – Cockroach 19/8, 2022 at 20:13

Well below is your answer,

You can find platform keys from HERE. The command to sign apk (for linux) is:

java -jar signapk.jar -w platform.x509.pem platform.pk8 APPLICATION.apk APPLICATION_sign.apk

onward Android 10 lib64 library path need to provided which can be found at android/out/host/linux-x86 after generating a successful build, one can copy folder or simply provide its path to generate sign APK

java -Djava.library.path="<path to lib64>" -jar signapk.jar -w platform.x509.pem platform.pk8
If you sign your apk with platform keys you won't required root access you can simply install it from "adb install" command, and yes in someway it is like root 'cos it can access all internal api but keep in mind if your app is system signed then you can't write external storage.
First of all don't combine both root is user where system app is application type which distinguish from normal application below link might clear your confusion regarding it.

what-is-the-difference-between-android-user-app-with-root-access-and-a-system-ap

Lachish answered 2/6, 2016 at 8:42 Comment(24)

can't i really write external storage? is this correct? – Caritacaritas 23/6, 2016 at 2:18

if you make system app or we can say you sign with platform certificate then NO you can't write to external storage. – Lachish 23/6, 2016 at 9:29

thanks for the answer bro, my mind was so absent the answer is correct. – Caritacaritas 25/6, 2016 at 11:51

im problem signing , i dont know what error is this, but i followed your steps and now im stuck in here signing it. error usually logs Usage: signapk publickey.x509[.pem] privatekey.pk8 input.jar output.jar – Caritacaritas 25/6, 2016 at 14:24

hey buddy may i know which command you are using to sign? you should use like this "java -jar signapk.jar -w public_key.x509.pem private_key.pk8 INPUT.zip OUTPUT.zip" – Lachish 27/6, 2016 at 7:18

if i dont put -w it will work , but if i put -w that error message comes out. – Caritacaritas 28/6, 2016 at 16:36

hey david -w is my mistake actually i used to sign .zip(OTA) packages so for signing zip package we required " -w flag to sign the whole zip file" so it won't applicable for you .apk file. – Lachish 29/6, 2016 at 5:8

ah yes, actually its working now, and now i understand the difference thank you, im just wondering i could turn the sim now but couldnt use internet access. do you know why ths is? – Caritacaritas 29/6, 2016 at 5:58

can't understand your question can you please provide detail? – Lachish 29/6, 2016 at 6:2

if you try to enable data(GPRS) then you can find handy reference from here #11555866 – Lachish 29/6, 2016 at 6:14

ah its working now, i just have reboot again and wait. thank you – Caritacaritas 30/6, 2016 at 0:41

can u help me with my problem? im having problem with some keys either platform or testkeys., im using lenovo here my post – Caritacaritas 11/8, 2016 at 6:17

It worked but for others this command will not work if u have JDK 9. It will give u in signapk.jar baseencoder error. To solve this i need to decrement my java to java version "1.8.0_151". It worked perfectly fine. – Tewfik 9/11, 2017 at 7:16

@NguyễnHoàng i think you can use same command in windows as well – Lachish 9/1, 2018 at 7:7

@Apar Amin. So run in command line ?. and what is directory in here ? Thanks. And can i expose apk to install normally without adb ? – Scissors 9/1, 2018 at 15:13

@NguyễnHoàng for the sake of simplicity please put certificates(.pem and .pk8) and signapk.jar in same folder/directory as well you can also put ur APKs inside same folder/directory and go to that folder/directory path in terminal/comman-prompt and execute command but beware you need to configure java path – Lachish 10/1, 2018 at 10:3

Do we need any runtime installed on linux or windows to run this command. the above command gives me error Failed to load any of the given libraries: [conscrypt_openjdk_jni windows-x86_64, conscrypt_openjdk_jni] – Millihenry 17/7, 2019 at 10:57

@RajeevKumar yup please install JDK first because it is using "java -jar" command – Lachish 17/7, 2019 at 12:17

@AparAmin java is installed on system – Millihenry 18/7, 2019 at 5:55

@RajeevKumar please use with full path java -Xmx2048m -Djava.library.path="out/host/linux-x86/lib64" \ -jar out/host/linux-x86/framework/signapk.jar \ -w build/target/product/security/platform.x509.pem \ build/target/product/security/platform.pk8 \ FileNeedSign.apk FileNeedSign_Signed.apk – Lachish 22/7, 2019 at 11:23

I need your help guys ... @RajeevKumar i need your help – Decoteau 8/4, 2020 at 19:29

I am facing error while executing command anyone having idea? error: Error: Unable to access jarfile signapk.jar Command: java -jar signapk.jar certificate.pem key.pk8 file Application.apk Application_sign.apk AOSP: Android 11 master branch – Childbearing 11/3, 2021 at 12:43

you need to add "lib64" folder onwards Android 10 you can find it at "android/out/host/linux-x86/lib64" and after that use below command to sign java -Djava.library.path="<path to lib64>" -jar signapk.jar -w platform.x509.pem platform.pk8 – Lachish 12/3, 2021 at 6:2

@AparAmin I tried this but I am unable to install the apk. I am getting a "There was a problem parsing this package" error. – Import 1/3, 2022 at 0:19

Answering your three questions:

1 - Where do I get these signature key?

From Android's own documentation in the section Release Keys

The Android tree includes test-keys under build/target/product/security

But the next part is where you should really pay attention

Since the test-keys are publicly known, anybody can sign their own .apk files with the same keys, which may allow them to replace or hijack system apps built into your OS image. For this reason it is critical to sign any publicly released or deployed Android OS image with a special set of release-keys that only you have access to.

So basically unless you can somehow gain access to manufacturer's pvt keys it might be difficult to achieve this. This is why a user in a previous comment was saying this is usually achieved by producing your own build.

2 - Is it going to like a root access If ever I successfully managed to sign it?

You will not get "root access" by doing it, but you will get access to an extremely high level of access. Specifically, what this achieves you is that you will be granted permissions with declared android:protectionLevel="signature" which is, arguably, the most exclusive one.

One other dangerous consequence (or fun, depending on how you look at it) of this is that you can now run your app under system user process android:sharedUserId="android.uid.system" - under android's "process sandboxed" security rules this would normally fail.

3 - What is the difference between Root vs Signed with key?

With an app signed with the platform key from your build, you can get the permissions mentioned above, or run your app with UID 1000 (system uid) which in android is much more powerful than the UIDs of other apps because of the permissions it can request, this is a behaviour specific of Android though. In a rooted device, you can use UID 0 (root) which has the broadest access in linux based systems, you can bypass most of the security sandboxing/checks/fences on the OS.

Hope this helps ;)

Baca answered 13/10, 2017 at 11:50 Comment(5)

I made my app as system app with above mentioned command. In your 1st point you have made a very valid point "Anybody can sign their own .apk files with the same keys, which may allow them to replace or hijack system apps built into your OS image". How can i overcome this u did mention a way but i am not able to sign deployed OS with special set of release keys. Thanks in advance i know it's an old answer but i will appreciate if u explain or provide any link regarding issue. – Tewfik 9/11, 2017 at 7:37

@HassanMunir No problem, the point of this is really to share knowledge. To answer your question, it depends on what exactly you are trying to achieve, and your position as a developer: 1-are you someone who is making their own build of android from AOSP or the code of some other Android project. 2- are you someone who by some means(root or otherwise), can write to the /system partition 3- are you a “normal” developer making an app for the general public – Baca 9/11, 2017 at 11:10

@Caritacaritas As more people continue to look at your question, it is important to note that the accepted answer is very dangerous as you can read in my answer (directly quoted from Google Docs) - I believe this should be marked as the correct answer – Baca 14/2, 2018 at 16:58

As I see this answer is correct, it looks strange that it is not on the top. – Partridgeberry 12/3, 2019 at 20:33

@UtkinAnton indeed it is, by all means upvote it please x'D The accepted answer recommends using a set of keys that is public... The consequences of signing any ROM with that... I just have no words. – Baca 13/3, 2019 at 9:24

Well below is your answer,

You can find platform keys from HERE. The command to sign apk (for linux) is:

java -jar signapk.jar -w platform.x509.pem platform.pk8 APPLICATION.apk APPLICATION_sign.apk

onward Android 10 lib64 library path need to provided which can be found at android/out/host/linux-x86 after generating a successful build, one can copy folder or simply provide its path to generate sign APK

java -Djava.library.path="<path to lib64>" -jar signapk.jar -w platform.x509.pem platform.pk8
If you sign your apk with platform keys you won't required root access you can simply install it from "adb install" command, and yes in someway it is like root 'cos it can access all internal api but keep in mind if your app is system signed then you can't write external storage.
First of all don't combine both root is user where system app is application type which distinguish from normal application below link might clear your confusion regarding it.

what-is-the-difference-between-android-user-app-with-root-access-and-a-system-ap