Abhi's Blog

SigTool: APK Signature Analyzer Pro - Review and Enhancements πŸš€

Posted on Aug 15, 2024
Table of contents:

SigTool is a robust open-source tool tailored for developers and security analysts. It excels at in-depth APK signature analysis, offering features such as:

  • Signature Extraction & Hash Calculation πŸ› οΈ
  • Java-style HashCode Calculation πŸ“‹
  • PEM Certificate Generation πŸ“œ

It’s a go-to for anyone diving deep into APKs, but like any tool, there’s always room for improvement. Below, I’ll highlight some quirks I encountered and how I went about fixing them.

πŸ”— GitHub Repository:
SigTool - APK Signature Analyzer

πŸ›‘ The Issue: Multiple Flags Not Playing Nice Together

When using multiple flags, such as -p and -e, SigTool doesn’t behave as expected. Instead of combining the outputs from both flags, it only processes the last flag provided. While this decision makes sense in most cases where flags might be irrelevant when combined, using -p and -e together should be meaningful and useful.

Steps to Reproduce:

  1. Run the command:
    sigtool path/to/apk.apk -p -e
  2. Observe the output.

Expected Result:

The tool should output both APK information and Base64 Encoded Hashes, along with PEM Certificate Details.

Actual Result:

Only the output from the last flag (in this case, Base64 Encoded Hashes and Certificate) is shown.

πŸ”§ The Fix: Pull Request & New Features

I submitted a pull request to address this issue. Here’s a breakdown of the fixes and improvements:

  • Flag Compatibility Fix: The tool now processes both the -p and -e flags together, displaying all the relevant outputs as expected.
  • JSON Output: You can now save the output as a JSON object, making it easier to work with programmatically.
  • Colon Signature Options: With the -u flag, you can choose between uppercase and lowercase for colon-separated signatures:
    • -u + -c: Uppercase results with colons.
    • -c: Lowercase results with colons.

Once the pull request is merged, these enhancements will be available to all users. πŸŽ‰

βœ… Installation & Requirements:

For Termux:

pkg install python aapt openssl-tool

For Linux (APT):

sudo apt install aapt openssl

For Windows:

Make sure to install aapt and openssl libraries.

Install SigTool:

pip install sigtool

Usage:

sigtool -h

πŸ’¬ Final Thoughts

SigTool is a fantastic tool for APK signature analysis, and with the fixes and enhancements on the horizon, it’s only getting better. If you find it helpful, don’t forget to ⭐ star the GitHub repo and share your feedback!

♻️ Telegram Channels:

Feel free to dive in and explore what SigTool has to offer! πŸš€