Apk with system privileges
Hello all! Many people ask me how to sign your apk with the certificate of the system (so you get the system privileges and you can, for instance, install apks in the background as I showed in the previous post), so I decided to write this post to help everyone.
To do this, first you need to have certificates that were used to sign the Android installed on the device, a pair of certificates (.pk8 + x509.pem) to generate a java certificate or at least, the system that is running on your device should use the default certificate that comes in the source code of Android, ie, the engineer may not have created an own certificate to sign the system, which is the case with the Android emulator and some ROMs.
The platform Android have a key/certificate pair (platform.pk8 + platform.x509.pem). It can be found under {Android Source}/build/target/product/security.
To sign your apk you need before making a java keystore file (.keystore) joining this system certificates (.pk8 + x509.pem) into one.
To do this, you can use the keytool-importkeypair with the command:
./keytool-importkeypair -k google_certificate.keystore -p android -pk8 platform.pk8 -cert platform.x509.pem -alias platform
You can download keytool-importkeypair here or direct download zip file here
usage: keytool-importkeypair [-k keystore] [-p storepass] -pk8 pk8 -cert cert -alias key_alias
After running this command will be generate the file in your current folder, named google_certificate.keystore, alias “platform” and password “android”.
So when you export your application in Eclipse you that you choose the new certificate to sign your apk.
paulononaka
Fantastic !
Problem…
I used the keytool-importkeypair script to generate a .keystore from the pk8 and pem files, however, when I specify my .keystore file in Eclipse (Window -> Preferences -> Android -> Build -> custom debug keystore) the APPLY and OK buttons become unselectable.
What could be wrong ?
You only need to add your certificate to the Eclipse if you want to do it compile your application with system privilege in debug time. Eclipse will accept your new certificate if you add the alias “androiddebugkey” in your certificate running the command passing the new label:
./keytool-importkeypair -k google_certificate.keystore -p android -pk8 platform.pk8 -cert platform.x509.pem -alias androiddebugkey
But if you just want to generate the apk with system privileges, you can simply export your application choosing your certificate using the alias “platform”.
How to use “./keytool-importkeypair -k google_certificate.keystore -p android -pk8 platform.pk8 -cert platform.x509.pem -alias androiddebugkey” in windows 7 OS .
Please guide me …
Thank you very much for this nice tutorial!
I did not find certificates (.pk8 + x509.pem) in the SDK?
Please can your help me ?
Thx in advance.
No. These certificates are in the source code of the Android OS and not in the SDK. You need to get the certificates (.pk8 + x509.pem) that were used to compile the OS that will run your application.
I have a galaxy note running gingerbread 2.3.5,
The certificate would be in the source code of this samsung stock android version ?
Do you know where can I get it ?
Hi.
First of all, thank you for all the tutorials you’re making, all of them are awesome!
I have doubts with the location of the certificates and the potential use of the google_certificate.keystore generated.
Since the keys are extracted from source code, all devices that use the compiled Firmware from the source code will accept the key
google_certificate created?
Thank you very much, and sorry for my low level of English
Is there a way to add my own platform pk8 file to my htc stock rom so that it will trust my apk signed with my own platform pk8 and give me system permission, given that I have root access to the stock rom?
I’m trying to sign an entire rom and know certain apks belong in different categories. Like system, media, platform, etc. Can anyone point me in the right direction to a list of which files belong in which category so the rom can be signed properly.
Thanks for the post!
So, how do I know if the device vendor has custom certificate, instead of the default android?
I would also like to know this!
My first thought was that all vendors generate their own private keys and keep them suuuper secret.
Does your tutorial presume that you’re running a custom made ROM? Or stock OS?
Best regards!