Based on my understanding the android apk signing step is to make sure the apk a user is to install is unmodified. The apk is signed by a private key, however based on my understanding the public key is written right within the same apk file. I wonder how the user can trust the public key and use it to decrypt and verify the apk? Because I were a hacker I could simply get the original apk and modify its content and encrypt it with my own private key and insert my own public key in it so that when the user get this hacked apk he/she should still be able to pass the verification process as the apk is using a valid private and public key pair which is mine?

CodePudding user response：

APK signing works for application update scenarios. You can only update an application with an APK signed with the same key as the original installed app.

Modifying an APK and signing it with another key is certainly possible and it does happen. One hurdle there is distribution: tricking users to install the modified version. Application stores have mechanisms to detect such app modifications or otherwise malicious apps, and the default platform security setting disallows sideloading i.e. installing applications from untrusted sources. These are of course not 100% effective, bad apps do get installed.

CodePudding user response：

In addition to what @laalto said: the signature is also using for signature protected permissions. If you have several applications, and they use Android intents to communicate (e. g. one app is using a service in another), and the intent targets (services, receivers, content providers) are protected with private permissions, and the permissions are declared with the protection level of "signature", then Android will only grant permissions if the two applications are signed with the same key. That's where the potential hacker would be thwarted; were they to re-sign an APK with their own key, Android would notice that and deny access.