Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
理解した気になるApplication Signing
Search
Matsuda Jumpei
January 19, 2024
1
380
理解した気になるApplication Signing
2024/01/19 Shibuya.apk#46 で発表した内容です。
https://shibuya-apk.connpass.com/event/305120/
Matsuda Jumpei
January 19, 2024
Tweet
Share
More Decks by Matsuda Jumpei
See All by Matsuda Jumpei
Select API from Kotlin Coroutine
jmatsu
2
260
Getting Started of Getting Started: Delivery Speed Improvements
jmatsu
0
11
Debugging: A Few Things You Should Know
jmatsu
1
300
Debugging: All you need to know (for simultaneous interpreting)
jmatsu
2
2.7k
Debugging: All you need to know (English Only)
jmatsu
0
300
Gradle Convention Plugins
jmatsu
1
2.4k
JCenterをちゃんと差し替える
jmatsu
0
490
Look Back Over Deep Links
jmatsu
0
620
Considerate App Update Delivery at DroidKaigi 2022
jmatsu
0
630
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Thoughts on Productivity
jonyablonski
69
4.8k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
What's in a price? How to price your products and services
michaelherold
246
12k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
110
20k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
RailsConf 2023
tenderlove
30
1.2k
How to train your dragon (web standard)
notwaldorf
96
6.2k
GitHub's CSS Performance
jonrohan
1031
460k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.1k
Transcript
TIJCVZBBQL+VNQFJ.BUTVEB !SFE@GBU@EBSVNB ͳΜͱͳ͘ɺ ͔ͦ͜ͱͳ͘ɺ ͍͍͔Μ͡ʹɺ ;Θͬͱɺ ཧղͨ͠ؾʹͳΕΔ"QQMJDBUJPO4JHOJOH 1
"OESPJEͷ"QQMJDBUJPO4JHOJOHͱ w "1,ϑΝΠϧʹॺ໊͢Δ͜ͱɺ·ͨͦͷॺ໊ใͦͷͷ w ॺ໊ͷݕূΛ௨ͯ͠ɺ"1,ϑΝΠϧͷ*OUFHSJUZΛอূ͢Δ w *OUFHSJUZશੑPS߹ੑ w ͬ͘͟Γݴ͏ͱʮॺ໊ஈ֊͔Βվ͟Μ͞Ε͍ͯͳ͍͜ͱʯ͕͔Δ w
ҟͳΔύοέʔδ໊Ͱಉ͡ॺ໊Ͱ͖Δ͠ɺಉʹΠϯετʔϧ͕Մೳ 2
Α͋͘Δޡղ w ❌ਖ਼͍͠ॺ໊Ͱ͋ΕͦͷΞϓϦϑΝΠϧ҆શͰ͋Δ w ❌ͦͷॺ໊Λͨ͠ͻͱɾ৫ͷݩ͕อূ͞ΕΔ w ❌ࠓݱࡏ ݕূ࣌ ɺͦͷॺ໊ͷݩʹͳͬͨ伴͕։ൃݩʹ͓͍ͯ༗ޮͰ͋Δ w
BOETPPO 3
🤯 4
*OUFHSJUZ͕อূ͞ΕΔͱԿ͕خ͍͠ͷ w ةݥɾಛݖૢ࡞ʹ͓͍ͯਪఆͷอূΛ͢Δ͜ͱ͕Ͱ͖Δ w ྫ͑ΞϓϦͷΠϯετʔϧɾΞοϓσʔτຆͲͷૢ࡞͕ಛݖૢ࡞ w ύοέʔδ໊໊લۭؒҎ্ͷ৴པੑΛ࣋ͨͳ͍ͷͰҰக͚ͩͰෆे w 㱺ΑΓ৴པͰ͖ΔԿ͔͕ඞཁ w
*OUFHSJUZΛߟ͑ͣʹ࣮ݱ͢Δʹ w ૢ࡞ऀݸਓͷͷͱɺಛݖΛڐՄ͢Δͱ͍ͬͨૢ࡞͕ඞཁ 5
*OUFHSJUZ͕อূ͞ΕΔͱԿ͕خ͍͠ͷ w *OUFHSJUZΛར༻ͨ͠৴པͷ࣮ྫ w ҟͳΔͭͷ"1,ϑΝΠϧ͕ಉॺ໊Λ࣋ͭ㱺ॴ༗ऀͷҰகΛ৴པ w ಉύοέʔδ໊Ͱಉॺ໊ͷϑΝΠϧ㱺ॴ༗ऀʹΑΔΞοϓσʔτͱਪఆ w ॴ༗ऀ͕ಉҰͷҟͳΔͭͷΞϓϦ㱺QFSNJTTJPOΛࣗಈ༩FUD w
ͦͷอূͷ͔֬͞ใྔ૿ՃͳͲʹ͍ͭͯɺվળ͕ॏͶΒΕ͍ͯΔ w ݱࡏɺछྨͷॺ໊ํࣜ 4JHOBUVSF4DIFNF ͕ଘࡏ͢Δ 6
"1,4JHOBUVSF4DIFNFT w ॺ໊ใͷ༷ɾදݱܗࣜ w ݱࡏW W W W Wͷ༷ ࣌ܥྻॱ
w W W Wಉ͡ઃܭࢥͷͨΊɺW ͱݺΕΔ w ݕূͷखॱͦΕͧΕͰࢦఆ͕͋Δ w ͨͩ͠ॺ໊ݕূػߏ04࣮ʹ͋ΔͷͰɺ࣮ߦʹґଘ͢Δ w $54͋ΔͷͰɺଟ͘ͷਓʹ͕ͳ͍ w ڍಈมߋෆ۩߹Ͱ04όʔδϣϯ͝ͱʹएׯڍಈ͕ҟͳΔ͜ͱ 7
"1,4JHOBUVSF4DIFNFͷݕূ֓ཁ w ͦͷ͕ೝࣝͰ͖Δ࠷େ ͷTDIFNF͔Βॱ൪ʹԼΔܗͰݕূ w W͕ෆਖ਼ͳΒΘΓʹWΛݕূ͢ΔɾɾɾͱͳΒͳ͍ 8 https://source.android.com/docs/security/features/apksigning/v4
"1,4JHOBUVSF4DIFNFW w +BSͷॺ໊ʹجͮ͘"1,͚ͷ֦ுํࣜ w 㲈;*1ϑΝΠϧͱͯ͠ͷॺ໊ w ηΩϡϦςΟతͳ FH$7&r ͔Βݱࡏඇਪ w
վ͟ΜΛݫີʹ͛ΔΘ͚Ͱͳ͍FH.&5"*/'ͷϑΝΠϧ w ݕূ࣌ʹVODPNQSFTT͕ඞཁͳͷͰϦεΫɾίετ͕ߴ͍ w ݱࡏͰ"1*ҎԼͷͰಈ͔͢ͱ͖ඞཁʹͳͬͯ͠·͏ w .JO4%,Ҏ্ͷઃఆΛڧ͘ਪ͠·͢ 9
"1,4JHOBUVSF4DIFNFWҎ্ڞ௨ࣝ w ݱঢ়ͷجૅͰ͋ΓɺWͱશ͘ҟͳΔํࣜ w ;*1Ͱͳ͘όΠφϦͱͯ͠ѻ͍ɺϑΝΠϧશମͷอޢ͕Մೳʹ w WؚΊɺ֤4DIFNFͱΈ߹ΘͤڞଘՄೳ Ұ෦Ճཁ݅༗Γ w
4DIFNF͝ͱʹఆٛ͞Εͨ*%Λ࣋ͭॺ໊ϒϩοΫΛԼهྖҬʹՃ͢Δ w ͦͷϒϩοΫ*%ΛΒͳ͍04ೝࣝͰ͖ͳ͍ ෆਖ਼ͱࢥΘͳ͍ 10 https://source.android.com/docs/security/features/apksigning/v2
"1,4JHOBUVSF4DIFNFW w ϑΝΠϧશମʹରͯ͠վ͟Μݕ͕Ͱ͖ΔΑ͏ʹͳͬͨॳΊͯͷॺ໊ํࣜ w "1* "OESPJE/ ͔Βಋೖ w 5BSHFU4%,Ҏ্ͩͱɺ"1*Ҏ߱ͷͰඞਢʹ w
"1*ҎԼWॺ໊͔͠ೝࣝͰ͖ͳ͍ʹҙ w ΩʔϩʔςʔγϣϯʹରԠ͍ͯ͠ͳ͍ 11
"1,4JHOBUVSF4DIFNFW w Ωʔϩʔςʔγϣϯ͕ՄೳʹͳͬͨॳΊͯͷॺ໊ํࣜ w "1* "OESPJE1 ͔Βಋೖ w ݪଇɺ"1*ҎԼ༻ʹWॺ໊ ϩʔςʔγϣϯલͷॺ໊
Λ͢Δ w Ҏલͷॺ໊͢ SPMMCBDL ڐՄͳͲͷDBQBCJMJUZͷཧͰ͖Δ w ෳ伴ʹΑΔॺ໊αϙʔτ͍ͯ͠ͳ͍ w "1*Ͱෆ۩߹ഁյతมߋ͕ೖΔͳͲɺ༷͕ෆ҆ఆʹ 12
"1,4JHOBUVSF4DIFNFW w ετϦʔϛϯάରԠΛͨ͠ॳΊͯͷॺ໊ํࣜͰɺݱঢ়།Ұ w "1* "OESPJE3 ͔Βಋೖ w W ͱิతʹಈ࡞͢ΔͷͰɺWͷ७ਮ֦ுͰͳ͍
w Wͷॺ໊ใผϑΝΠϧ JETJH ͱͯ͠อଘ͞ΕΔ w "1,αΠζ͕େ͖͘ͳ͍ͱԸܙʹؾ͖ͮͮΒ͍͔ w BECJOTUBMMJODSFNFOUBM࣌ʹॺ໊ݕূ͕ૣ͘ऴΘͬͯخ͍͠ w ·ͨݱࡏɺ(PPHMF1MBZ͔ΒΠϯετʔϧ͢Δ߹ʹΘΕ͍ͯΔ 13
"1,4JHOBUVSF4DIFNFW w ݱࡏɺΩʔϩʔςʔγϣϯΛ͢Δ߹ͷਪॺ໊ํࣜ w "1* "OESPJE5 Ͱಋೖ w "1*Ͱద༻͞ΕͨWͷվળΛؚΜ֦ͩு w
ॺ໊ϒϩοΫʹ5BSHFU"1*Λࢦఆग़དྷΔΑ͏ʹͳͬͨ w "1*͕࠷৽ͷݱঢ়ͩͱಛஈҙࣝ͠ͳ͍͕ɺࠓޙޮ͍ͯ͘Δ ͣ 14 (API 31, API 32 ͱมߋ͕ೖͬͨͳΒ v3.3 Ͱɾɾɾ?)
Έ߹Θͤʹ͍ͭͯ w ٕज़తʹҙͷΈ߹Θ͕ͤ༗ΓಘΔ w ࣮ͨͩ͠༻ੑΛߟྀ͢Δͱ.JO4%,ʹ݁ہҾ͖ͣΒΕΔ w ͦͷ"1*Ϩϕϧ͕৴པ͍ͯ͠Δॺ໊ํ͕ࣜͭͰ͋ΕWBMJEѻ͍ 15 API Ϩϕϧ
v1 v2 v3 v3.1 24 28 33
͏ʔΜɾɾɾ w ͦͷΞϓϦͷ։ൃݩͬͯຊʹ͔Βͳ͍ͷ w 04͝ͱʹೝࣝͰ͖Δॺ໊ํ͕ࣜҧ͏ͳΒɺݹ͍੬ऑͳͷͰ w ϩʔςʔγϣϯޙͷ伴Λೝࣝ͢Δ͚ͩ͡Όͪΐͬͱෆͯ͠ͳ͍
w લͷ伴Λࣦޮ͍ͤͨ͞Μ͚ͩͲɾɾɾ w ͜ͷόʔδϣϯҎ্৽͍͠伴͡Όͳ͍ͱΠϯετʔϧͤͨ͘͞ͳ͍Α 16
ॺ໊ݕূͱ࿈ಈ͢ΔՁͷྫ w Πϯετʔϧݩ FH(PPHMF1MBZ ʹΑΔΞϓϦ৴ऀͷݩอূ w 1MBZ"QQ4JHOJOHʹΑΔ伴ͷཧ w ࠷ऴॺ໊ʹؔΘΔൿີ伴Λ։ൃऀ͕࣋ͭඞཁ͕ͳ͘ͳΔ w
ϩʔςʔγϣϯʹؔ͢Δ伴ใͳͲΛ1MBZ1SPUFDUఏڙͰ͖Δ w 1MBZ1SPUFDUʹΑΔΠϯετʔϧલݕূ w ݹ͍04Ͱ৽͍͠ॺ໊ํࣜͷݕূࣦޮͨ͠伴ͷڋ൱Λߦ͑Δ w ةݥͳΞϓϦΛΠϯετʔϧલʹ͘ 17
ࣗͰͬͱֶͼ͍ͨ w ࣮ߦதͷͰ1BDLBHF.BOBHFS"1*Λ͏ w ͨͩ͠'JSF04Ұ෦"1*͕దʹಈ࡞͠ͳ͍ w 04ʹ͋Δ4JHOBUVSFؔͷΫϥεษڧ͖Ͱͳ͍ w FHTDIFNFWFSTJPOMJOFBHF͕OPOQVCMJD"1* w
CVJMEUPPMTͷBQLTJHOFSΛ͏ w ΦϓγϣϯΛ͏·͘Έ߹Θͤͳ͍ͱॺ໊ํࣜผͷݕূ͕Ͱ͖ͳ͍ w ΞϓϦݕূΛߦ͏7FSJ fi DBUJPO4FSWJDF"QQΛ࡞Δ w 4ZTUFNQFSNJTTJPOͳͷͰ໘͍͘͞$54͘Β͍͔͠ࢀߟࢿྉͳ͍ 18
😇 19
·ͱΊ w "QQMJDBUJPO4JHOJOHϑΝΠϧͷ*OUFHSJUZΛอূ͢Δ w ͦͷੑ࣭Λར༻ͨ͠ػೳ͕͍ͭ͘ఏڙ͞Ε͍ͯΔ w ৴པੑ্։ൃऀͷརศੑͷͨΊɺ৭ʑͳվળ͕Ճ͑ΒΕ͖ͯͨ w WWW ͑ΒΕͳ͍น
W w WW ͱซ༻͢ΔύϑΥʔϚϯεվળ༻్ w ݪଇɺ1MBZ"QQ4JHOJOHΛ͑ҙࣝ͠ͳͯ͘ࡁΉ w ͦ͠͏ͳΒ.JO4%, WରԠόʔδϣϯ ʹ͠Α͏ 20
3FGFSFODFT w IUUQTFOHJOFFSJOHMJOFDPSQDPNKBCMPHBJSHPBQLTJHOJOH w IUUQTTPVSDFBOESPJEDPNEPDTTFDVSJUZGFBUVSFTBQLTJHOJOH w IUUQTTVQQPSUHPPHMFDPNHPPHMFQMBZBOESPJEEFWFMPQFSBOTXFS IMFO 21