Signing my android application as system app

For anyone coming to this question and even after reading the comments not being able to make it work, it might be because there're some things missing (specially if getting OPENSSL errors), here's everything you need.

Sign APK with test keys from the AOSP

  1. git clone https://android.googlesource.com/platform/prebuilts/sdk.git - Careful it's ~6GB, or you can download what you need, the signapk.jar file and the libraries.
  2. download the platform.x509.pem and platform.pk8 from https://github.com/aosp-mirror/platform_build/tree/master/target/product/security (or get your own keys corresponding to the image)
  3. With java installed, change the following command with the right paths for the files, the lib64 in the sdk you just cloned, the signapk.jar file, the platform key files and the apk to sign
java -Xmx2048m -Djava.library.path="~/../sdk/tools/linux/lib64" \ # In the cloned sdk
    -jar ~/../sdk/tools/lib/signapk.jar \ # In the cloned sdk
    platform.x509.pem platform.pk8 \ # The keys for signing (from step 2)
    app-prod-release.apk release.apk # The app to sign and the signed app

Answering your three questions:

1 - Where do I get these signature key?

From Android's own documentation in the section Release Keys

The Android tree includes test-keys under build/target/product/security

But the next part is where you should really pay attention

Since the test-keys are publicly known, anybody can sign their own .apk files with the same keys, which may allow them to replace or hijack system apps built into your OS image. For this reason it is critical to sign any publicly released or deployed Android OS image with a special set of release-keys that only you have access to.

So basically unless you can somehow gain access to manufacturer's pvt keys it might be difficult to achieve this. This is why a user in a previous comment was saying this is usually achieved by producing your own build.

2 - Is it going to like a root access If ever I successfully managed to sign it?

You will not get "root access" by doing it, but you will get access to an extremely high level of access. Specifically, what this achieves you is that you will be granted permissions with declared android:protectionLevel="signature" which is, arguably, the most exclusive one.

One other dangerous consequence (or fun, depending on how you look at it) of this is that you can now run your app under system user process android:sharedUserId="android.uid.system" - under android's "process sandboxed" security rules this would normally fail.

3 - What is the difference between Root vs Signed with key?

With an app signed with the platform key from your build, you can get the permissions mentioned above, or run your app with UID 1000 (system uid) which in android is much more powerful than the UIDs of other apps because of the permissions it can request, this is a behaviour specific of Android though. In a rooted device, you can use UID 0 (root) which has the broadest access in linux based systems, you can bypass most of the security sandboxing/checks/fences on the OS.

Hope this helps ;)


Well below is your answer,

  1. You can find platform keys from HERE. The command to sign apk (for linux) is:

    java -jar signapk.jar -w platform.x509.pem platform.pk8 APPLICATION.apk APPLICATION_sign.apk

    onward Android 10 lib64 library path need to provided which can be found at android/out/host/linux-x86 after generating a successful build, one can copy folder or simply provide its path to generate sign APK

    java -Djava.library.path="<path to lib64>" -jar signapk.jar -w platform.x509.pem platform.pk8

  2. If you sign your apk with platform keys you won't required root access you can simply install it from "adb install" command, and yes in someway it is like root 'cos it can access all internal api but keep in mind if your app is system signed then you can't write external storage.

  3. First of all don't combine both root is user where system app is application type which distinguish from normal application below link might clear your confusion regarding it.

    what-is-the-difference-between-android-user-app-with-root-access-and-a-system-ap