How to reverse engineer an apk without changing its siging information

Question

Suppose I have an an apk that I want to reverse engineer but there are some small problems regarding this. For instance if the application uses Google siging mechanism to signin into the app then I would not be able to signin after modifying the apk! There are also couple of other reasons that why not to modify an apk with resigning it with custom keystore...!

Is it possible? Or is there any other problem to tackle this?

Answer 1

It is not possible¹ to modify an APK without invalidating the signature. That is the whole point of the signature.

However, the APK signature and Google's Sign-in service are different things. "Signing" and "sign-in" are different words with different meanings. From a theoretical standpoint (at least) an APK that has been modified should still be able to successfully use Google Sign-in.

Here are some background links on APK digital signatures and how they work:

• Wikipedia: Digital signatures
• APK Signature Scheme v2
• APK Signature Scheme v3

---

^{1 - At least not currently. If someone manages to break the "crypto" that is used to implement the signature, then all bets are off. But we are probably OK for a few years ...}