DEV Community: LIAPP

"One-Click" for App Security!

LIAPP — Thu, 10 Aug 2023 02:43:38 +0000

Hello everyone!
This is Team LIAPP!

Did you know that you can secure your developed app with utmost ease, all with a single click?
The answer is right here, with LIAPP!

LIAPP provides hassle-free, robust, and highly visible security services, guaranteeing your mobile app's safety with just one effortless click!

LIAPP allows you to focus on your business with simple way of protection and helps you succeed in a great mobile service with strong hacking defense and convenient user-oriented hacking reports.

For an in-depth insight into the security features and what LIAPP has to offer, don't hesitate to explore our dedicated LIAPP website!

visit LIAPP

LIAPP's enhanced security features for the app!

LIAPP — Thu, 20 Jul 2023 05:49:34 +0000

Hello, LIAPP Team here!
We are pleased to announce that LIAPP has come back with enhanced security features for your app!
LIAPP's update details:

New Octopus GG detection
Enhanced Magisk detection
Enhanced Magisk Alpha detection
Enhanced Magisk Delta detection
Enhanced app tampering detection
Enhanced LDPlayer detection
Strengthened LIAPP compatibility
Strengthened BlueStacks compatibility
Enhanced app performance speed
Strengthened compatibility with OS and security folders
Strengthened compatibility when converting aab files to universal.apk
Strengthened compatibility with ONE GameLoop
Strengthened LIAPP start function (init) to prevent ANR (Application Not Responding)

If you have interested in app security, do not hesitate to contact us at: support@lockincomp.com

See you!
LIAPP TEAM

NEW LIAPP is coming!

LIAPP — Wed, 28 Jun 2023 06:03:52 +0000

Hello, LIAPP Team here!

We are pleased to announce that LIAPP will renew our website and update the LIAPP security features to provide you with better service and improve the user interface. Please take note of the following LIAPP update notice to ensure a seamless experience.

Update Schedule: June 29, 2023, 21:00 - 24:00 (UTC + 9)

During the above mentioned LIAPP update, LIAPP website access and the ability to apply LIAPP will not be available. We kindly request you to check the schedule in advance and plan your LIAPP usage accordingly.

Furthermore, after the mentioned update, please apply LIAPP and conduct thorough testing before distributing your app.

LIAPP update details:

New Octopus GG detection
Enhanced Magisk detection
Enhanced Magisk Alpha detection
Enhanced Magisk Delta detection
Enhanced app tampering detection
Enhanced LDPlayer detection
Strengthened LIAPP compatibility
Strengthened BlueStacks compatibility
Enhanced app performance speed
Strengthened compatibility with OS and security folders
Strengthened compatibility when converting aab files to universal.apk
Strengthened compatibility with ONE GameLoop
Strengthened LIAPP start function (init) to prevent ANR (Application Not Responding)

If you have any additional inquiries, please feel free to contact us at support@lockincomp.com.

(Note: If you encounter any issues accessing the LIAPP website after the mentioned update, please try clearing your browser's cookies and cache before retrying.)

Want to know more about LIAPP? visit LIAPP!

Thanks!
LIAPP TEAM

New LIAPP website is coming!

LIAPP — Thu, 15 Jun 2023 06:46:47 +0000

Hello, LIAPP TEAM here!

LIAPP TEAM would like to inform you about the upcoming LIAPP update and the renewal of our website.
LIAPP is coming with updates and a new website in late June!

LIAPP Update Details:

New Octopus GG detection feature.
Strengthened Magisk detection capability.
Enhanced Magisk Alpha detection.
Enhanced Magisk Delta detection.
Enhanced app tampering detection.
Enhanced LDPlayer detection.
Strengthened LIAPP compatibility.
Strengthened BlueStacks compatibility.
Strengthened app performance speed.
Strengthened compatibility with operating systems and security folders.
Strengthened compatibility when converting aab files to universal.apk.
Strengthened compatibility with ONE GameLoop.
Strengthened LIAPP initialization function (init) to prevent ANR.

Stay tuned with LIAPP!
LIAPP is coming for better service.
Do you want to know more about LIAPP and the update?
Come and visit LIAPP!

To apply security on APP I developed 1 - Analyze APP

LIAPP — Tue, 16 May 2023 05:34:57 +0000

The application of the LIAPP is divided into three steps.

(1) Analyze APP
(2) Apply Security
(3) Download and Distribution

(1) ‘Analyze APP’

This is a very useful step for people who don’t know what security options to apply to their APP.
Click the ‘NEW APP’ button on the left side of the LIAPP site to easily enter the ‘Analyze APP’ step, as shown below.

[ OS ]
It distinguishes whether the app has been developed for Android or iOS.

[ NAME ]
This field is entered the name of the app for your convenience.
Finally, drag & drop app files or select files(android : .apk, iOS : .IPA) and click the ‘GO’ button to start an app analysis and appear the selectable options by user among the suitable security options.

[ 1st step : select class to protect ]

The first page is a page you can select the important classes you want to protect within the app.
When entering this page, LIAPP analogizes the class to be initially protected and suggests basically.
Once set. LIAPP will encrypt the selected class within the app in the next ‘Apply Security’ step and encrypts the important/critical string declared internally.

Class encryption and important/critical string encryption are one of the most important functions for protecting apps.
These functions may not leak important functions and information from hackers or competitors by not exposing POST values, URLs, account information, and other extremely important information declared by the app during development.

Please note that Class encryption is one of the most resourse-intensive tasks when running apps.
Therefore, it is not recommended to select classes that will not need to be protected by the fact that the more classes you choose, the slower the app will be initially driven.
Class that you don’t need to protect.

The basic classes provided by Android, or 3rd party sdk downloaded and used externally, are not important properties of the company, so it is effective in execution.

The second page is for customers who use the ‘google play app signing’ system provided by Google market.
Using google play app signing is to avoid detection of the anti-tamper function of the LIAPP because a new signing is made by using the signing key registered with google , rather than the last one you signed and some internal files are also changed.
If you don’t use the ‘google play app signing’ system, you can proceed to the next step without selecting the appropriate part.

[ 3rd step : JNI NATIVE FILE PROTECTION ]

The third page is a function that protects the JNI NATIVE LIBRARY used by the app.
Select any file in the list that you want to protect and it will be encrypted and stored in the app to prevent malicious analysis.
If you are not using JNI NATIVE LIBRARY, the page does not appear.

[ 4th step : UNITY Protection ]

The fourth page is for users who have developed apps using UNITY.
Click the check box to encrypt and protect the sensitive code of the user created by UNITY.

This concludes all the procedures for app analysis.
It’s a little bit longer to explain the precautions and the actions actually being protected by the LIAPP, but if you go ahead, you’ll see a few clicks that ends very quickly.

If you want to learn details about it, visit LIAPP’s website @ https://liapp.lockincomp.com/blog/

New Android banking trojan called "Sharkbot", its way of attack and how to defend

LIAPP — Mon, 24 Apr 2023 02:40:19 +0000

Malware? not the antivirus?

Antivirus app downloaded to prevent from hacking, but this app has been controversial as it has been found to be malicious malware that infiltrates users' mobile devices, manipulates banking applications, and remits assets to the outside.
"Sharkbot", a Trojan horse that first appeared in October 2021 and continues disturbing Google. These can be easily downloaded from the official Google Play Store, but it turns into malicious apps at some point after being installed on the user's smartphone.

What is Sharkbot?

Sharkbot is a new-generation Android banking Trojan discovered by the Threat Intelligence team of the security company Cleafy. Sharkbot masquerades as a mobile app or a commonly used app with common name and icon.

Sharkbot is known to use the work "Sharked" in the binary of the APK file, and once the malware is installed, it executes key logging, SMS message interception, overlay attack, and remote control commands. Thee apps were already downloaded by more than 15,000 users worldwide, with most victims believed to be in the UK and Italy. Google, of course, they quickly deleted these apps and announced that they took action on other apps presumed to be Sharkbot.

How did they trick Google?

Usually, the app must go through a pre-inspection process prior to registering an app on an official stores such as Google Play. However, Sharkbot has been registered as a safe app as if it were a safe application tricking Google. How did this happen?
According to the analysis, Sharkbot has a variety of anti-analysis functions which allows it to detect sandbox environment or adjust the triggering time of hacking. Above all, full-fledged malicious functions are additionally downloaded from external C&C servers. This is the reason that there were no problems found during the inspection of the Google Play Store.
It is very difficult to catch Sharkbot that has a domain generation algorithm (DGA) that can freely change external C&C domain and a geofence functions that deactivate malicious functions in a specific area.

How did Sharkbot get a permission from users?

The Sharkbot dpownloaded on the user's smartphone reveals it's malignity the moment it receives an external command. Sharkbot is similar to other malware such as TeaBot and UBEL, it displays malicious pop-ups that repeatedly ask for extensive permission to steal user's sensitive information. Sharkbot, like other similar malware such as TeaBot and UBEL, displays malicious pop-ups that repeatedly require extensive authorization to steal user's sensitive information.

Sharkbot will be able to get all the permissions (declared in the AndroidManifest file) needed to hack the banking app once accessibility permissions and services are activated by user.
Sharkbot then uses Android's accessibility service authority to display an overlaid window over a normal mobile banking app to induce the user to enter personal information, obtain the login credentials of the acquired bank app, and send them to a malicious server.

ATS (Automatic Transmission System) of the Sharkbot

This information is used to access email, social media, online bank accounts, and more. With the permissions shown in the figure above, the Sharkbot can read or send text messages and perform overlay attacks. In particular, the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission could bypass Android's doze component and connect to the C2 server to continue its malicious action.
Money is now transferred out of the victim's bank account. During this process Sharkbot can intercept the device's SMS messages and use them to get the 2FA sent by the bank. As attackers do not have to register new device for fraudulent activity, it is difficult to detect that money are being stolen even if the money is transferred from the victim's bank account.

The way how SharkBot avoids detection

SharkBot has a technology to avoid from anti-virus detection. It includes several features to avoid analysis and detection, such as inspecting and running emulators, encrypting command and control communication with remote servers, and hiding icons from the home screen after installation. Strings can be obfuscated to slow down static analysis and hide all commands and sensitive information used by the malware. Below is a list of other evasion features Sharkbot are using.

Anti-emulator : It determines whether it is a real phone or an emulator when malware is installed on a device.
External ATS module : The installed malware downloads additional modules from C2, and external modules are ".JAR" files that contain all the functions used to perform ATS attacks. This module is analyzed by Sharkbot in paragraph of the ATS module.
Hide icon app : If malicious program is installed, Sharkbot hides from the app's icon from the device screen.
Prevent deletion : Sharkbot uses accessibility services to prevent users from uninstalling the program from the setting options like other malware.
Encrypted communication : All communication between the malware and C2 is encrypted and encoded with Base64, also use the domain generation algorithm (DGA).

How to detect and prevent Sharkbot?

While various security comapanies and stores are trying to defend themselves, it is no longer safe to trust such as APP Store and Google Play.
Users need to be alert now that malicious apps that try to hack into banking are constantly discovering new versions. This is why users should avoid installing apps that are unknown sources or that require excessive permissions, and periodically update legitimate antivirus to the latest version. In addition, it is important for individuals to carefully check the reviews, number of downloads and developer information each time downloading an app. It is also recommended to suspect and view apps that request permission for accessibility services unless there is a special case.
Companies that provide banking apps should take proactive steps to strengthen the security of the apps themselves and to detect&block malicious malware. LIAPP can detect apps known as Sharkbot through pattern detection. Also, LIAPP can prevent Sharkbot from hacking banking apps by performing functions such as overlay detection, remote control program detection, and screen capture program prevention. If you are a banking app service company, please contact the LIAPP team about Sharkbot. We will provide with more detailed consultation.

LIAPP, we provide the best service possible.

Google’s policy on target API level and LIAPP’s compatibility.

LIAPP — Thu, 23 Mar 2023 05:54:36 +0000

Hello readers! A news flash here!

Do you remember that Google announced that they are expanding the target API level requirement for the purpose of protection of users’ privacy and security?

Starting August 31, 2023,
• New apps and app updates must target API level 33 (Wear OS must target API 30).
• Existing apps must target API level 31 or above to discover from Google Play. (Apps that target API level 30 or below (target API level 29 or below for Wear OS), will only be discoverable on devices running Android OS same or lower than your apps’ target API level.)

Although this may request to extend until Nov 1, 2023, expansion of the target API level is unavoidable.

But don’t worry! LIAPP has no problem even with API level 33. We already went through the compatibility test.

This means it is possible to apply LIAPP to app targeting the latest API level.
Be agile in responding to Google policies and always stay vigilant to provide your app and users with a more secure app service!

LIAPP is here with you to protect your app with recent policy of Google.

We want to make sure you have ample time and resources to get prepared:
• For exact timelines,Target API level requirements for Google Play apps
• For technical guidance, refer to this migration guide
• To learn more, watch the April 2022 PolicyBytes

LIAPP has won an award in Cyber Security Awards 2023!

LIAPP — Thu, 09 Mar 2023 06:57:20 +0000

Hello! This is the LIAPP team!

We are excited to share some great news with you.
LIAPP has recently won awards in three different categories Mobile Application Security, Application Security, and Runtime Application Self-Protection, which are all related to app security.
Winning these awards is a testament to LIAPP's commitment to ensuring top-notch app security.

We take pride in our app security and we believe that through LIAPP, your developed app too can be secure.
So why not give LIAPP a try and see for yourself how we can help you with your app security needs?

LIAPP protects apps using its action-based detection system and is currently being used in various industries such as fintech, gaming, and enterprise in multiple countries.

We are confident in LIAPP's app protection system!

LIAPP, we provide the best service possible.

A Response Measure to the Security Threat of Virtual Space App

LIAPP — Thu, 02 Mar 2023 07:28:24 +0000

Virtual Space App

Recently, the Virtual Space App, which allows you to use the same app dual on one smartphone, has been gaining popularity. Virtual Space App creates an isolated virtual environment within a single smartphone and provides an environment where the same app can run dually inside. For example, SNS and chat apps are dually created on one device, so you can log in to two accounts simultaneously without logging out and play the same game with two IDs simultaneously.
his convenience exposes many security threats to users who use Virtual Space App and to users who use Virtual Space App and the APP services they install on Virtual Space App to run dual.

Two Sides of Virtual Space App security threats

With this Virtual Space App, you can easily create dual apps because one app can be run through multiple instances, but behind this convenience, there are also many security problems.

Basically, apps installed on Android manage the data they generate in the sandbox area, which runs with its own UID(user identifier) and GID(group identifier) when the app is installed. These separately managed apps on the system cannot invade each other's sandbox area, so you can isolate apps from each other and protect them from malicious apps.

However, suppose you install certain apps on the Virtual Space App to use dual apps. In that case, the UID and GID of all apps in the Virtual Space App are set to the same, allowing access to each app's usage area and memory, which poses a significant security threat.

For users who use the Virtual Space App, the Guest App installed inside the Virtual Space App requires additional user data access to prevent the app from crashing, dramatically increasing the security threat inside the mobile system.

1. Threats to APP
In Virtual Space App, various isolation mechanisms provided by the Android system, such as permissions, storage, and components, are broken. Even if an app already has basic security functions, when run inside the Virtual Space App, the security sandbox is unlocked, exposing malicious malware apps installed inside to hacking threats such as accessing personal files or replicating and tampering with common apps.
In addition, each other's processes can be accessed within the same Virtual Space App, so you can receive the same level of threats as those from the rooted device, such as memory tampering.
In the case of a specific memory cheating tool, the use of Virtual Space App is recommended among execution methods on non-rooted devices, so it is emerging as one of the threats to be blocked for safe APP service.

The following are the types of attacks that an APP installed in the Virtual Space App can receive.

(1) Increase permissions attack

Generally, when you use a virtual space app, your device pre-applies several permissions and features. If malicious malware APP is installed inside a virtual space app, you can use these permissions to access or leak sensitive data, such as user search history and cookies. This means that customer information of common apps installed inside virtual space apps and important information about app services may be exposed. Other processes can also access memory on my APP that can be used to expose critical memory and memory tampering attacks.

(2) Code insertion attack

Inside the Virtual Space App, a malicious Malware APP can tamper with the executables of other APPs, which are loaded via dynamic loading. At runtime, most APPs can load executable files (such as .dex files, .jar files, .so files) stored in private directories, and malicious Malware APPs installed inside the Virtual Space App can tamper with or replace these files, which can lead to code insertion attacks on other targeted APPs.

(3) Replication attack

If malicious malware APP A and regular app B are executed in the same Virtual Space App, A can secretly compress and upload important information created and entered when B is running to a remote server. You will be able to log directly into the regular app.

2. Users Who Installed Virtual Space App Will Face the Following Threats

In fact, the Virtual Space App is designed for your convenience. In fact, the Virtual Space App is designed for your convenience. Specifically, users who install Virtual Space App are exposed to hacking threats due to Virtual Space App attacks and malicious malware attacks. Below is a description of the threats faced by the user who installed the Virtual Space App and the hacker attacks.

(1) Hijacking attack

It is a hijacking attack that can arbitrarily control the execution of an APP on a device with the numerous privileges of the Virtual Space App. For example, a malicious Virtual Space App can intercept user input from the login window after APP starts with root permissions on the victim's device. This user's login eligibility is captured, and malware can remotely upload them to the server to intercept and exploit the user's input data.

(2) Ransomware attack

Inside the Virtual Space App, a malicious Malware APP can encrypt or delete files from other APPs. The attacker demands a certain amount of ransom from the user, and the user must pay the ransom to restore the original file. Because this ransomware can be automatically propagated to cloud servers and other client devices, it is also dangerous that files encrypted with malicious Guest App can be uploaded to the cloud through the automatic synchronization mechanism of the cloud.

(3) Phishing attack

In Android 5.0 and later, third-party apps cannot call the getRunningTasks() function to obtain foreground application process information, but this is allowed within the Virtual Space App. This enables a phishing attack in which a malicious Guest App intercepts the security information that the user enters in the Android app. This may expose the information entered by the user.

A Response Measure to the Security Threat of Virtual Space App

The fundamental reason for all these security risks is that the apps installed within the Virtual Space App share the same UID, so access rights are shared.
In any case, it's never a good idea to set a level of security that makes your app data accessible to anyone.
Therefore, in order to defend against these security threats, users should refrain from using the Virtual Space App, and service providers that service the APP should be able to detect and block the APP running in the Virtual Space App.

LIAPP detects that your mobile app is running on the Virtual Space App, protects the app by blocking it from running, and protects it from the risk of exposing sensitive information from APP users.
As Virtual Space App users continue to increase, LIAPP team strongly recommends preparing thoroughly for security.

LIAPP, we provide the best service possible.

[TECH]PCI SSC Security Requirements for Fintech Apps

LIAPP — Fri, 24 Feb 2023 04:40:19 +0000

Hello, this is LIAPP TEAM.

The security issue of Fintech apps is emerging as a hot topic in various fields worldwide. xpectations for Fintech apps are rising as financial services become more advanced and payments in non-financial IT sectors are active. Still, the frequency of personal information leakage accidents is also increasing. Therefore, to make lesser concerns about the exposure of personal information of Fintech app users, Fintech companies should do their best to strengthen security with safety as collateral, away from reckless evasion of responsibility.

For this reason, the payment card industry data security standard (PCI-DSS, Payment Card Industry Data Security Standard) is emerging as a security standard for Fintech companies. Five multinational card payment brands, VISA, MasterCard, American Express, DISCOVER, and JCB International, have established the Payment Card Industry Security Standards Committee (Payment Card Industry Security Standards Council, hereafter PCI SSC).

Their mission is to protect personal information related to payment and provide technical requirements for protecting cardholders' data and sensitive personal information data.

This content has been written to help you understand each item of the PCI Mobile Payment Acceptance Security Guidelines, issued separately by the PCI SSC for the security of mobile card payment systems. In addition, we will introduce the security features of LIAPP that can be applied to each item in order to comply with PCI regulations and show you how to protect Fintech apps strongly.

LIAPP Auth

4.2 Create server-side controls and report unauthorized access

This recommendation is for developing a comprehensive payment authorization solution that can detect, report, and disconnect unauthorized access attempts or abnormal behavior to mobile apps. This is the LIAPP Auth function of LIAPP, which blocks bypass connections directly to the app server, and can be set up to prevent the app from running through an abnormal path.

Detect and block LIAPP Root/Jailbroken and Virtual Machine Devices

4.3 Prevent escalation of privileges

It is recommended to block routing, run apps on escaped devices, and increase security by sending alarms or warning messages if a risk is detected. However, mobile hacking is primarily caused by not blocking unauthorized connections. LIAPP can detect unauthorized access from routing, rooted or jailbroken devices, OS-tampered devices, and virtual machines, sending out alarms and strongly blocking app execution and access.

LIAPP Anti-Tampering, Anti-Debugging and Anti- Repackaging

4.7 Harden the application

This item is an application enhancement that prevents users from unintentionally accessing mobile apps or inserting malicious code and recommends anti-tempering with reverse engineering. LIAPP prevents analysis through decompile or reverse engineering by encrypting critical source codes, dynamic analysis during app execution with an anti-debugging function, and blocks tampering with the app by detecting signs of app modulation. Anti-repacking blocking can also prevent malicious redistribution by protecting sensitive information files used by apps.

LIAPP Realtime Hacking Tools Registration

4.10 Protect against known vulnerabilities

It recommends patching mobile devices and apps to ensure they are always up to date. As a result, LIAPP can strongly block known hacking techniques and directly register hacking tools to address the latest security vulnerabilities.
LIAPP's premium plans; LIAPP Enterprise and LIAPP For Game provide servers and monitoring dashboards dedicated to customers, enabling real-time reporting of the number of app users, hacking incidence, and hacking types. In addition, users can immediately change the on/off button to enable features such as anti-debugging, integrity modulation detection, virtual machine detection, hacking tool detection, and administrator rights detection.

Compliance with PCI SSC security regulations is not just about preventing privacy leaks. In addition, it increases the reliability of Fintech apps, improving its reputation for Fintech services. As mobile payments through Fintech apps gradually play a central role in the payment industry, compliance with related regulations is now becoming an essential factor. Compliance with PCI SSC may initially seem complicated, but mobile security services such as LIAPP make it easier and simpler to apply security features.

If you've already released or are preparing for a Fintech app, why don't you take this opportunity to strengthen your mobile app security policy with LIAPP? About a month before the app's launch, LIAPP team recommends a schedule to distribute it to the market by strengthening security in advance. We hope that it will become a Fintech app service that runs fast in the global market with LIAPP in the future.

[Source of data]
https://www.pcisecuritystandards.org/pci_security/
https://www.pcisecuritystandards.org/about_us/
PCI Mobile Payment Acceptance Security Guidelines / PCI Mobile Payment Acceptance Security Guidelines for Developers.pdf

LIAPP, we only offer the best service.

[LIAPP FEATURES] React Native Protection

LIAPP — Fri, 17 Feb 2023 06:49:12 +0000

LIAPP provides robust and useful features to protect mobile apps against various threats.
This post will discuss LIAPP’s React Native protection to protect mobile apps made by React Native. We will explain how it works and what its effect is.

With the tremendous popularity of React Native, there are quite a lot of Hybrid apps released developed by React Native.
It is a top priority to protect app services made by React Native.

LIAPP provides diverse security features to protect app services developed by React Native, especially LIAPP’s React Native Protection provides a feature to protect bundle file ( java script file(.js)) by encryption.

And it is LIAPP’s specialty to maintain high security by creating an encrypted key every time it is applied.
In this way, LIAPP users can expect to increase efficiency and save resources for developing and running mobile apps by protecting essential logic and app without having to do a high and challenging task such as setting up encrypted logic, applicable system, and managing keys safely.

» Pure bundle file

» Protected bundle file with LIAPP

As you can see, LIAPP’s React Native Protection feature and LIAPP’s Anti-tampering, Anti-dumper, Memory protection, and Root detection features will protect package files which app service needs a standard security package file.

LIAPP, we provide the best service possible.

ANDROID APP SIGNING & ZIPALIGN

LIAPP — Thu, 09 Feb 2023 05:53:32 +0000

Android apps can be created using a variety of programming language and development programs.
These Android apps are distributed through various channels and are installed on Android devices.

In order to build a completed Andrioid apps, a signing procedure is required to identify the app creator.

Usually, the development program does this automatically, so no extra work is needed. However, if you apply security services such as LIAPP to an app, the app package will change, and you will have to sign it manually.

Signing with jarsigner

You can sign the Android app using either apksigner or jarsigner.
Apksigner is a tool provided by Android SDK Build Tools of version 24.0.3 and later and can only be signed on apk files.
Jarsigner is a tool included in Java that can be signed both apk and an aab(Android App Bundle) files.

In this post, we will be specifically covering how to sign with jarsigner.

Preparations

JAVA ( jarsigner )

Key file ( .keystore or .jks )

Alias and PassPhrase (password) that were set when key file was created

Jarsigner can be simply used by entering command lines in the form presented below on programs such as cmd in Windows or terminal in Mac.

[ APK ]
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore "KEYSTORE_PATH" "APP_FILE_PATH" "ALIAS_NAME"
[ AAB ]
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore "KEYSTORE_PATH" "APP_FILE_PATH" "ALIAS_NAME"

What we need to focus on here is the part marked with double quotation marks (").

[ KEYSTORE_PATH ]

Enter the path to the keystore.

Usually, it has an extension of .keystore or .jks.

How to check the keystore in Android Studio Build Menu => Generate Signed Bundle / APK => Select Android Aab Bundle or APK => Check Key store path

How to check keystore from Unity File Menu => Build Settings => Player Settings => Publishing Settings => Check the Path=> Check the location of a file with the identified name [ APP_FILE_PATH ]

Enter the path to the app file you wish to sign. [ ALIAS_NAME ]

Enter the Alias name created when you created the key.

How to check Alias from Android Studio Build menu => Select Generate Signed Bundle / APK => Select Android Aab Bundle or APK => Check Key alias

How to check Alias from Unity File Menu => Build Settings => Player Settings => Publishing Settings => Check Alias

A message to enter the password for the keystore will appear once you proceed a command.

Enter Passphrase for keystore:

When typing the keystore password, the password characters will not be displayed on the screen, but are actually entered.
In the case where incorrect password is entered, an error message as show below will appear.

jarsigner error: java.lang.RuntimeException: keystore load: Keystore was tampered with, or password was incorrect

Once the correct keystore password has been entered, you will proceed to the next step.
If the keystore password and key password are identical, the signing will proceed immediately.
If the keystore password and key password are different, you will be prompted to enter the key password.

Enter key password for ALIAS_NAME:

Once the correct key password has been entered, signing will proceed and "jar signed." will be displayed when the siging is completed.

In the command line, the -storepass and -keypass options allow you to specify and execute passwords in advance.
If you use this option, a message to enter the password will be not displayed; instead, password will be automatically entered.

[ APK ]
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore -storepass [Keystore_password] -keypass [Key_password] "KEYSTORE_PATH" "APP_FILE_PATH" "ALIAS_NAME"
[ AAB ]
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore -storepass [Keystore_password] -keypass [Key_password] "KEYSTORE_PATH" "APP_FILE_PATH" "ALIAS_NAME"

Occasionally, there is a case when receiving an error message although a valid password has been entered.
In this case, you should first check whether the keystore or Alias information is entered correctly.
Errors can also occur if the file name and path contain spaces or special characters.

APK zipalign

APK files that have been signed with jarsigner require further sorting using zipalign.
There are no problems with installation and execution without zipalign, but it may fail when registering with the App Market for distribution.
For AAB files, there is no official guide to zipalign, so it is not required.

You can run the command line in the form below for zipalign.

zipalign -f -v 4 "apk file Path that needs zipalign" "apk file Path that will be saved after zipalign-ing "

Signing & zipalign with script file

So far, we've learned how to sign and zipalign manually.
The script file below is a sample script that will make signing and zipalign easier.

[ script for windows ]
[ script for MAC ]

Please see details below for your information using sample script.
Open the downloaded file in Notepad or Text Editor, modify it based on the contents below, and save the file.

KeyStorePath=" Keystore path "
ALIAS_NAME="alias name"
STORE_PASS=" Keystore Password"
KEY_PASS="Key password"
ZIP_ALIGN="zipalign File Path"

The zipalign file is located in build-tools in the path where Android SDK is installed.
If you want to enter your own password without saving it, the -storepass and -keypass related options need to be removed.

Windows users can drag the app file to be signed to the LIAPP_sign_window.bat file and it will run immediately.
MAC users can run a terminal program either by dragging script files and app files in order, or entering paths as shown below.

Ex. /Users/username/Downloads/LIAPP_sign_mac.sh /Users/username/AndroidStudioProjects/MyApplication/app/release/app-release.apk

When running normally, contents such as \bs"signing: path/file" will be displayed and "jar signed." will be displayed when completed. If "jar signed." does not appear and an error occurs, check the relevant information and close the window. After that, take action on the error and re-run it. If the script has no problem running normally, contents such as "signing: path/file" will be displayed and "jar signed." will also appear once completed.
If an error appears rather than "jar signed.", check the related information provided and close the window.
Then, take action on the error and run it again.
Errors can also occur if the file name and path contain spaces or special characters.

APK files must be signed first and then zipaligned.
If the message "jar signed." has been confirmed without any issues during the signing process, press any key to proceed with the next zipalign steps.
A message with "Verification succesful" will be shown if zipalign is successfully completed.
The zipalign completed file is saved with _zipaligned following the file name.

For more information on signing and zipalign using jarsigner, please refer to the URL below.

jarsigner : https://docs.oracle.com/javase/8/docs/technotes/tools/windows/jarsigner.html
app-signing : https://developer.android.com/studio/publish/app-signing
zipalign : https://developer.android.com/studio/command-line/zipalign

LIAPP, we provide the best service possible.