Android Software Reverse Engineering & Decompilation

Understanding & Exploiting Android’s V1/V2/V3 Signature Schemes: A Reverse Engineer’s View

By Antigravity Research Published May 29, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android APK Signature Schemes

Android Package Kit (APK) files are the fundamental distribution format for Android applications. A critical component of APK integrity and authenticity is the digital signature. These signatures serve multiple purposes: they verify the origin of an application, ensure that the application hasn’t been tampered with since it was signed, and facilitate seamless updates by linking new versions to their predecessors. Over time, Android has evolved its signature schemes, moving from the original JAR signing (v1) to more robust whole-file integrity checks (v2 and v3).

For reverse engineers, understanding these schemes is paramount. Each scheme presents different challenges and opportunities for modification, analysis, and bypass. This article delves into the mechanics of Android’s v1, v2, and v3 signature schemes, highlighting their security features and, more importantly, how a reverse engineer might approach them to achieve their objectives, from simple modifications to sophisticated runtime patching.

Android Signature Scheme v1: The Original (and Vulnerable) Standard

How V1 Works

The Android Signature Scheme v1, introduced with the very first versions of Android, is based on standard Java JAR signing. When an APK is signed using v1, a `META-INF` directory is created within the APK. This directory contains three crucial files:

  • MANIFEST.MF: This file lists every file in the APK (excluding itself and other `META-INF` files) and its corresponding SHA1-Digest value.
  • CERT.SF: The Signature File contains the SHA1-Digest of the entire `MANIFEST.MF` file, plus SHA1-Digest values for each section in `MANIFEST.MF`.
  • CERT.RSA (or CERT.DSA): This is the digital certificate and the actual signature of the `CERT.SF` file, signed by the developer’s private key.

During installation, the Android Package Manager verifies the APK by first checking the integrity of `CERT.SF` using `CERT.RSA`, then checking the integrity of `MANIFEST.MF` using `CERT.SF`, and finally verifying the integrity of each APK file against the hashes in `MANIFEST.MF`.

V1 Vulnerabilities and Exploitation

While innovative for its time, v1 signing has a significant weakness: it only verifies the integrity of files *listed* in `MANIFEST.MF`. This means that any data *not* covered by a manifest entry, or files *added* to the APK that are not part of the `MANIFEST.MF` and `CERT.SF` calculations, can be modified or injected without invalidating the signature. For instance, modifying comments within a file, adding padding, or inserting entirely new, unreferenced files can sometimes go undetected.

From a reverse engineering standpoint, this opens a limited window for manipulation. While modifying existing, signed files will break the signature, you can often append new data or add entirely new files that the v1 verifier overlooks, as long as they don’t corrupt the APK’s structure in other ways. This doesn’t allow for code modification, but it can be useful for injecting resources or data.

You can verify a v1 signature using standard Java tools:

jarsigner -verify myapp.apk

Reverse Engineering Perspective

If you need to modify an application’s code or resources extensively, the most common approach for v1-signed APKs is to decompile, modify, and then re-sign with your own key. While this invalidates the original signature, it allows the modified application to be installed. However, any app-level integrity checks that rely on the original signature will likely detect this.

Android Signature Scheme v2: Enhancing Integrity with Whole-File Hashing

How V2 Works

Introduced with Android 7.0 (Nougat), Signature Scheme v2 addresses the shortcomings of v1 by introducing a whole-file integrity check. Instead of hashing individual files, v2 signs the *entire* APK file as a single, contiguous binary blob. The signature information is stored in an `APK Signing Block`, which is inserted immediately before the ZIP Central Directory in the APK file structure.

During verification, the Android system reads the `APK Signing Block`, extracts the cryptographic hashes, and then computes hashes for various sections of the APK (the ZIP entries section, and the ZIP Central Directory). These computed hashes are then compared against the hashes stored in the `APK Signing Block` and cryptographically verified using the public key.

The key innovation here is that *any* byte-level modification to the APK after it’s been v2-signed, regardless of whether it’s within a listed file or not, will invalidate the signature. This makes v2 significantly more secure than v1 against unauthorized modifications.

V2 Security and Challenges for Reverse Engineers

For reverse engineers, v2 signing fundamentally changes the game. Simple modifications that might have worked with v1 (like adding unreferenced files) will now always break the signature. This means that to introduce any change to a v2-signed APK, you *must* re-sign it. Re-signing with your own key will replace the original signature, which has several implications:

  • The app will not be recognized as an update to an original version.
  • Any in-app integrity checks that verify the original signing certificate will fail.
  • It may trigger anti-tampering mechanisms.

You can verify both v1 and v2 signatures using the Android SDK’s `apksigner` tool:

apksigner verify --verbose myapp.apk

Android Signature Scheme v3: Key Rotation and Backward Compatibility

How V3 Works

Building upon v2, Android Signature Scheme v3 was introduced with Android 9 (Pie) primarily to support *key rotation*. In previous schemes, an app was permanently tied to the key it was first signed with. If a developer’s signing key was compromised or expired, they would effectively have to publish a new app, losing their user base and update path.

V3 addresses this by allowing an app to declare an *ancestry* of signing certificates. The v3 signature block, contained within the v2 `APK Signing Block`, includes a proof-of-rotation structure. This allows an app signed with a new key to still be recognized as an update from an app signed with an older key, as long as the old key is part of the declared ancestry. This provides developers with much-needed flexibility for security and key management.

V3 Security and Reverse Engineering Considerations

From a security perspective, v3 primarily enhances developer flexibility and long-term key management without significantly altering the fundamental integrity protections introduced by v2. It still relies on the whole-file hashing mechanism of v2.

For reverse engineers, the core challenge remains the same as with v2: any modification to the APK file necessitates re-signing, which breaks the original signature and its chain of trust. While the key rotation aspect doesn’t directly create new vulnerabilities for tampering, understanding its presence is important for comprehensive analysis, especially when dealing with app updates from different publishers or over long periods.

Practical Exploitation and Integrity Check Defeat

Modifying V1-Signed APKs

For APKs signed only with v1, minor modifications are possible without invalidating the signature. This typically involves adding new files or modifying existing parts that aren’t hashed:

# Add a new file without invalidating V1 signature (if MANIFEST.MF doesn't list all files)zip -u myapp_v1.apk new_resource.txt

This technique is limited and doesn’t allow for arbitrary code changes. For substantial modifications, re-signing is still the primary path.

Overcoming V2/V3 Signatures: Re-signing and Runtime Patching

Due to the whole-file integrity checks of v2 and v3, any modification to the APK’s contents requires re-signing the APK. This process typically involves:

  1. Decompilation: Using tools like Apktool to extract the APK’s resources and Smali code.
  2. Modification: Editing Smali code, XML layouts, or other resources.
  3. Recompilation: Using Apktool to rebuild the modified APK.
  4. Re-signing: Using `apksigner` or `jarsigner` (for v1-only or just a new debug key) to sign the rebuilt APK with a new debug key.

Example workflow:

# Decompile the APKapktool d myapp.apk -o myapp_src# Navigate into myapp_src and make your desired modifications# e.g., edit Smali code in myapp_src/smali/com/example/MyApp/MyClass.smali# Recompile the modified APKapktool b myapp_src -o myapp_modified.apk# Sign the modified APK with your own debug keyjava -jar apksigner.jar sign --key my-debug.pk8 --cert my-debug.pem myapp_modified.apk

While effective for installing modified apps, re-signing breaks the original trust chain. Many sophisticated applications implement additional, app-level integrity checks that go beyond the system’s signature verification. These checks might include:

  • Hashing the DEX files at runtime and comparing them to expected values.
  • Checking the signing certificate hash against a hardcoded value (certificate pinning).
  • Verifying the installer package name via `PackageManager`.
  • Detecting common root detection or hooking frameworks.

To bypass these advanced checks, reverse engineers often turn to **runtime patching**. Tools like Frida or Xposed allow for dynamic instrumentation of an app’s code while it’s running. This means you can hook into critical methods, observe their behavior, and even modify their return values or arguments *after* the initial integrity checks might have passed. For instance, if an app has a method `checkSignature()` that returns a boolean, you can hook it and force it to always return `true`.

// Example Frida pseudo-code to bypass an integrity checkJava.perform(function() {    var IntegrityChecker = Java.use('com.example.myapp.IntegrityChecker');    IntegrityChecker.verifyAppSignature.implementation = function() {        console.log('Integrity check bypassed by Frida!');        return true; // Force bypass    };});

Runtime patching is often the only viable strategy when an app strongly relies on its original signature for critical functionalities or has robust anti-tampering mechanisms that detect re-signing.

Conclusion

Android’s signature schemes have evolved significantly, moving from the relatively permeable v1 JAR signing to the robust whole-file integrity checks of v2 and v3. For reverse engineers, this evolution means adapting strategies. While v1 allowed for limited static modification without breaking signatures, v2 and v3 necessitate either re-signing (which breaks trust) or dynamic runtime patching to bypass deep-seated integrity checks. Understanding the nuances of each scheme is crucial for effectively analyzing, modifying, and exploiting Android applications in a constantly evolving security landscape.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #APK Signature Bypass #App Tampering #Frida #Mobile Security

Related Technical Guides

Unmasking Private Services: Reverse Engineering Custom Android Binder Implementations

May 30, 2026

Unmasking Obfuscation: De-obfuscating Android App Logic On-the-Fly with Frida Gadget

May 29, 2026

Troubleshooting ClassNotFoundException in Custom Classloader Scenarios: A Debugging Playbook

May 30, 2026