adb - Downgrade an apk with different signature, without root

I'm trying to do the following things to an Android app without root access:

De-compile the apk with adb d xxx.apk (done)
Modify some files in /res/xml/ (done)
Re-build the apk with adb b xxx (done)
Sign the apk (keytool + zipalign + apksigner)
Downgrade with adb push xxx.apk /data/local/tmp/ & adb shell pm install -r -d /data/local/tmp/xxx.apk

I'm able to sign the apk with my own keypair, but I don't want to uninstall & re-install the apk to install the modified version -- I want to downgrade the original app to preserve the data.

However, step 5 produces:

Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Existing package xxx signatures do not match newer version; ignoring!]

It seems like downgrade app's old & new version must have the same signature. Is there anyway to bypass this check, or solve this situation?

I read this question: How do I force reinstallation of an apk with different signature on rooted Android? ... but it requires root access.

asked Nov 20, 2023 at 4:20

TaihouKai

101

2

Related: Does adb install do APK signature verification?. You are trying to circumvent the security model on Android so root access is generally a starting point.
– Morrison Chang
Commented Nov 20, 2023 at 4:47
@MorrisonChang Thank you for your reply (and previous reply ;) ). I do understand the situation, but I've used some commercial software (e.g., Cellebrite UFED) which are able to do the exact thing without root (Cellebrite UFED Apk Downgrade), and so I'm curious about how it could do this. There should be a way (either "legitimate" or "illegitimate" -- e.g. security vulnerability) to do so...?
– TaihouKai
Commented Nov 20, 2023 at 4:54
1

I watched the video for "Cellebrite UFED Apk Downgrade" and they called it a 'last resort option' for Android 12 forensics. My guess is that they are doing an APK backup and then using a older publisher signed APK which has some vulnerability to extract the data. I would also not rule out root access vulnerabilities. If you do want to find such 'vulnerabilities' that would depend on the device/ROM version and unlikely to be public for recent devices due to the security implications via governments/corporate espionage/forensics companies.
– Morrison Chang
Commented Nov 20, 2023 at 5:15
Ah.. so they save a list of supported apps which had a vulnerable old official version, and downgrade to that. This makes sense, since I actually tried Cellebrite apk downgrade on my own device, which is running the newest android os build on Samsung S22U, which should not have any os/hardware/kernel level vulnerability.
– TaihouKai
Commented Nov 20, 2023 at 5:20
2

@MorrisonChang To my knowledge the adb backup restrictions exist on Android 12 on device side and are triggered by the app targetSDK version: See my answer on that topic: android.stackexchange.com/a/231237/2241
– Robert
Commented Nov 20, 2023 at 8:26

| Show 1 more comment

Stack Exchange Network

Downgrade an apk with different signature, without root

0

You must log in to answer this question.

Browse other questions tagged
adb
installation
uninstallation
downgrade
signature-error
.

Linked

Hot Network Questions