Home/ Questions/Q 8628979
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T08:41:22+00:00

With all of the rooting and custom mods out there for android, it makes

  • 0

With all of the rooting and custom mods out there for android, it makes me nervous that some of the apks that state they are google’s are actually malicious.

So in trying to verify them I’ve extracted an ANDROID.RSA public key and I have been trying to verify it online.. but every google search turns up methods of doing public key encryption on android and not how to verify actual google apks

So my basic question is:

How do I verify that a google apk is actually a google apk?

The one particular RSA public key I found:

Owner: CN=Google NFC, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Issuer: CN=Google NFC, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Serial number: a8cd17c93da5d990
Valid from: Wed Mar 23 21:06:53 EDT 2011 until: Sun Aug 08 21:06:53 EDT 2038
Certificate fingerprints:
     MD5:  C9:E9:71:21:25:5D:E0:15:6F:3F:5B:24:B1:A8:47:6A
     SHA1: 82:75:9E:2D:B4:3F:9C:CB:AF:CE:31:3B:C6:74:F3:57:48:FA:BD:7A
     Signature algorithm name: SHA1withRSA
     Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1C CE CE 0E EA 4D C1 12   1F C7 51 5F 0D 0A 0C 72  .....M....Q_...r
0010: E0 8C C9 6D                                        ...m
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 1C CE CE 0E EA 4D C1 12   1F C7 51 5F 0D 0A 0C 72  .....M....Q_...r
0010: E0 8C C9 6D                                        ...m
]

[CN=Google NFC, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US]
SerialNumber: [    a8cd17c9 3da5d990]
]
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I put this solution together while trying to validate a download of the Google Wallet APK for my Verizon Galaxy Nexus.

    To verify an applications signature you need a trusted source that has some version of the apk. Android forces application updates with the same package name to be signed by the same certificate, so Google Wallet can’t change their certificate without creating a new package name and requiring every user to re-install the app.

    1. Download a factory image that contains Google Wallet from a trusted source

      https://developers.google.com/android/nexus/images#takju

    2. Download system image extractor

      http://andwise.net/?attachment_id=406

    3. Extract factory image 

      tar xzvf takju-jro03c-factory-bf087655.tgz  
mv takju-jro03c/image-takju-jro03c.zip .

    4. Extract embedded image (zip file) 

      unzip image-takju-jro03c.zip

    5. Extract system image extractor (the file we downloaded in part 2)

      tar xzvf ext4_utils.tar.gz  
chmod +x simg2img

    6. Extract an ext4 mountable image from the system image 

      ./simg2img system.img system.image.ext4

    7. mkdir sys

    8. Mount the extracted ext4 image with the newly created sys/ folder as the mount point

      sudo mount -t ext4 -o loop system.image.ext4 sys/

    9. View the Wallet.apk certificate 

      unzip -p sys/app/Wallet.apk META-INF/CERT.RSA | keytool -printcert

    10. Compare the fingerprints and serial number (I copied them into python strings and compared them that way). Finding a SHA-1 pre-image attack requires roughly 2^160 guesses, so if the fingerprints match the chances of the downloaded APK being bad are slim.

    You can also sideload the factory image extracted Wallet.apk onto your phone adb install sys/app/Wallet.apk, then download the new apk on your phone and launch it from a file manager to perform an upgrade. Android will do the certificate validation for you.

    • 0