APK hardening process

Packaging APK

The./gradlew assembleRelease command is used to package the APK, which is not hardened and does not meet security requirements

Log in to the Tencent cloud to perform security hardening

Reinforcement using Tencent cloud -> mobile application security -> application security reinforcement scheme, reinforcement services need authentication, choose their own way on the line

After the authentication succeeds, the application hardening page is displayed

Click “Harden” and click “Reinforce Now” to upload the application successfully

Click Confirm. The online hardening takes several minutes. After the hardening is complete, the hardening result is displayed

Viewing hardening Results

At this time the reinforcement is completed, download the reinforcement package on the line

The signature again

Tencent cloud application security requires that the APK signature information be deleted before hardening. Therefore, the hardened installation package does not have signature information. You need to re-sign the hardening package

Use jarsigner, the signing tool in the JDK

Run Jarsigner, and if the PATH environment variable is not set, it can be found in the bin directory under the JDK installation PATH

$ jarsigner -helpJarsigner [option] jar-file alias jarsigner-verify [option] jar-file [alias...] [-keystore <url>] keystore location [-storepass < password >] password for the integrity of the keystore [-storetype < type >] keystore type [-keypass < password >] private key password (if different) [-certchain < file >] name of the replacement certificate chain file [-sigfile < file >].sf /.dsa file name [-signedjar < file >] name of the signedjar file [-digestalg < algorithm >] name of the summary algorithm .Copy the code

Signature command

Jarsigner -verbose -keystore keystore file path -signedjar APK path generated after the signature ApK path to be signed Alias AliasCopy the code

The signature file keystore and apk are in the same directory, and the signed apk1.apk file is also in the local directory

$ jarsigner -verbose -keystore .\my-release-key.keystore -signedjar .\myapp1.apk .\myapp.apk my-key-aliasEnter KEY store passphrase: adding: meta-INF/manifest.mf Adding: meta-INF/my-key-a. sf Adding: meta-INF/my-key-a SA Signing: Lib /arm64-v8a/libc++_shared.so lib/arm64-v8a/libbetter. Signing: Assets /0OO00l111l1l Signing: tencent_stub [Trusted Certificate] JAR Signed. Warning: Signer certificates are self-signed certificates.Copy the code

So the signature is successful.

If you like it, just give it a thumbs up and go