Geek Answers Handbook

How to check official google apk

With all the rooted and custom mods out there for android, it makes me nervous that some of the apks that claim to be google are really harmful.

Therefore, trying to check them, I extracted the public key ANDROID.RSA, and I try to check it on the Internet .. but every Google search includes encryption methods for the public key on android, and not how to check the actual google apks

So my main question is:

How to verify that google apk is actually google apk?

One specific RSA public key that I found:

Owner: CN=Google NFC, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US Issuer: CN=Google NFC, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US Serial number: a8cd17c93da5d990 Valid from: Wed Mar 23 21:06:53 EDT 2011 until: Sun Aug 08 21:06:53 EDT 2038 Certificate fingerprints: MD5: C9:E9:71:21:25:5D:E0:15:6F:3F:5B:24:B1:A8:47:6A SHA1: 82:75:9E:2D:B4:3F:9C:CB:AF:CE:31:3B:C6:74:F3:57:48:FA:BD:7A Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 1C CE CE 0E EA 4D C1 12 1F C7 51 5F 0D 0A 0C 72 .....M....Q_...r 0010: E0 8C C9 6D ...m ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 1C CE CE 0E EA 4D C1 12 1F C7 51 5F 0D 0A 0C 72 .....M....Q_...r 0010: E0 8C C9 6D ...m ] [CN=Google NFC, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US] SerialNumber: [ a8cd17c9 3da5d990] ]
+4
source share
1 answer

I put this solution together while trying to check the Google Wallet APK download for my Verizon Galaxy Nexus.

To verify the signature of the applications, you need a reliable source that has some version of apk. Android forces application updates with the same package name to be signed with the same certificate, so Google Wallet cannot change its certificate without creating a new package name and requiring each user to reinstall the application.

  • Download the factory image containing Google Wallet from a trusted source

    https://developers.google.com/android/nexus/images#takju

  • Download system image extractor

    http://andwise.net/?attachment_id=406

  • Extract factory image

     tar xzvf takju-jro03c-factory-bf087655.tgz mv takju-jro03c/image-takju-jro03c.zip .

  • Extract embedded image (zip file)

     unzip image-takju-jro03c.zip

  • Remove the system image extraction tool (file downloaded in part 2)

     tar xzvf ext4_utils.tar.gz chmod +x simg2img

  • Remove the ext4 mount image from the system image

     ./simg2img system.img system.image.ext4

  • mkdir sys

  • Mount the extracted ext4 image with the newly created sys / folder as the mount point

     sudo mount -t ext4 -o loop system.image.ext4 sys/

  • View Wallet.apk Certificate

     unzip -p sys/app/Wallet.apk META-INF/CERT.RSA | keytool -printcert

  • Compare the fingerprints and serial number (I copied them into python strings and compared them this way). Finding a SHA-1 attack for a preliminary image requires approximately 2 ^ 160 guesses, so if the fingerprints match, the likelihood that the downloaded APK will turn out to be bad is small.

You can also download the factory image extracted from Wallet.apk to your adb install sys/app/Wallet.apk , and then download the new apk to your phone and run it from the file manager to perform the update. Android will check the certificate for you.

+4
source

More articles:


All Articles