What are the purposes of files in META-INF folder of an APK file? What are the purposes of files in META-INF folder of an APK file? android android

What are the purposes of files in META-INF folder of an APK file?


android apk digital-signature

An android APK file is actually a jar file (java archive), it is just a plain zip file with or without compression. Jar files are used by all types of java applications, they have a specific structure - the META-INF folder contains the manifest information and other metadata about the java package carried by the jar file.

The purposes of these files are as follows:

  1. MANIFEST.MF: It contains various information used by the java run-time environment when loading the jar file, such as which is the main class to be run from the jar file, version of package, build number, creator of the package, security policies/permissions of java applets and java webstart packages, the list of file names in the jar along with their SHA1 digests, etc.
  2. CERT.SF: This contains the list of all files along with their SHA-1 digest.
  3. CERT.RSA: This contains the signed contents of the CERT.SF file along with the certificate chain of the public key used for signing the contents.

As an example, Refer to a sample apk file here.If you download and expand this file using a file decompression program like 7zip to your desktop, you can see a sample of these files.

In the extracted directory, go to sub-directory META-INF and view the contents of the files manifest.mf and *.sf files. Here are the first few lines of these files:

File MANIFEST.SF:

Manifest-Version: 1.0Created-By: 1.7.0_60 (Oracle Corporation)Name: res/drawable-xxhdpi-v4/common_plus_signin_btn_text_dark_pressed.9.pngSHA1-Digest: Db3E0/I85K9Aik2yJ4X1dDP3Wq0=Name: res/drawable-xhdpi-v4/opt_more_item_close_press.9.pngSHA1-Digest: Xxm9cr4gDbEEnnYvxRWfzcIXBEM=Name: res/anim/accessibility_guide_translate_out.xmlSHA1-Digest: dp8PyrXMy2IBxgTz19x7DATpqz8=

The file MCTN.SF contains the digests of the file listings in MANIFEST.MF along with an empty line:

Signature-Version: 1.0SHA1-Digest-Manifest-Main-Attributes: Sen4TNWb3NQLczkzN1idKh81Rjc=Created-By: 1.7.0_60 (Oracle Corporation)SHA1-Digest-Manifest: NAWTDC05HK+hfNtQ91J4AoL9F7s=Name: res/drawable-xxhdpi-v4/common_plus_signin_btn_text_dark_pressed.9.pngSHA1-Digest: pvIZkdVTEuilCdx8UkrlY6ufPlw=Name: res/anim/accessibility_guide_translate_out.xmlSHA1-Digest: XeX9Q2w41PRm3KiZ5p07x3CY6hc=

The file MCTN.RSA contains the signature in base64 encoding generated over file MCTN.SF.

See this reference for details on how to verify the signatures of APK packages - http://theether.net/kb/100207

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last