Digital signatures are commonly used in connection with software applications to verify the origin of the application, as well as to ensure that the application's integrity has not been comprised since the digital signature was applied. Normally, digital signatures provide two algorithms: a private key for signing the application known only by the signing entity, and a public key, available to other entities from the signing entity or a certificate issuing authority, for verifying the signature. Digital signatures can be used to create a public key infrastructure (PKI) scheme in which an entity's public key can identify that entity's digital identity. By verifying the entity's public key with the issuer of the digital identity (e.g., the certificate authority), a level of trust can be established between the signing entity and any third parties. Digital signatures can also be used to verify the integrity of the application. After applying a digital signature to the application, any subsequent changes to the application will invalidate the digital signature. Thus, when changes are made to the application after it has been signed, the integrity of the application may be considered compromised and, in most cases, cannot be trusted.
Some mobile devices run on operating systems and mobile platforms that require applications to be associated with a valid digital signature in order to allow the application to execute. In other instances, mobile devices attempting to run unsigned applications may prompt a user for approval prior to allowing the application access to certain device resources (e.g., the device's network connection, memory, etc.). Thus, any updates or changes to a mobile application after it has been digitally signed will prevent the mobile device from executing the application. While some mobile application platforms may allow for applications to be re-signed, the time and expense associated with re-signing makes such solutions impractical in most cases.