Understanding Android Core Cracking: Principles, Timing, and Implementation

Author: He Xiaojie Dev (Senior Android Architect). All rights reserved; please contact the author for permission to reproduce.

When working with Android, we often hear the term "core cracking". Some third‑party ROMs implement core cracking to increase Android's flexibility. This article defines core cracking and examines its impact on the system.

What can be achieved after core cracking?

Feature

Before Cracking

After Cracking

App Downgrade

Only higher‑version apps can overwrite lower‑version ones

Version numbers are ignored; any version can overwrite freely

Overlay Installation

Signature mismatch prevents overlay

Signature is ignored; overlay proceeds directly

Unsigned Installation

Not allowed

Allowed

These relaxed restrictions greatly benefit users of cracked software, allowing them to replace apps regardless of version or signature. However, bypassing signature and version checks reduces Android's security, enabling piracy and harming the ecosystem.

When to apply core cracking

Because the signature mechanism permeates the entire Android system, the optimal hook point is during Zygote initialization. At this stage, security‑related libraries such as java.security have already been loaded, allowing us to hook the relevant classes.

To determine parameter values, developers typically decompile the relevant JAR, locate functions like verify, log their arguments, and use those logs to set appropriate return values. A brute‑force approach is to always return true, which further weakens system security.

Cracking the installation process

Beyond the earlier modifications, the Android package installation flow must also be altered. The classes involved reside in com.android.server.pm.PackageManagerService. If you have the Android source code, you can directly inspect them; otherwise, refer to existing analyses.

Within PackageManagerService, four methods are responsible for package verification: installPackageAsUser, checkUpgradeKeySetLP, verifySignaturesLP, and compareSignatures. Modifying these methods enables the desired bypass.

Why core cracking may become ineffective

Currently, no known method can permanently prevent core cracking. However, cracking can fail after Android version updates because the internal verification logic changes. The article lists Android version changes that affect the cracking approach; all provided code targets SDK 21 and above.

Different Android versions handle APK verification differently, so adjustments must be made accordingly.