Does the APK hash signature ever change?

Question

We have some apps that use the same web services, and we need a way to uniquely identify which app is calling the web services.

What I ended up doing is sending the hash signature of the app along with the other parameters. The code to get the signature is similar to this one https://stackoverflow.com/a/25524657/17648.

Then I have a table with all the hashes stored that I can use later to compare with the calls to the web service and find out which app called which method.

By doing this I don`t need to create switch statements when calling the web service.

This is working ok now, but I just want to make sure the hash signatures will be the same for any version we release of the apk and also will be the same for any phone/tablet it is installed.

Answer 1

The code in that answer is actually hashing the public key from your keystore, as that's really what is in the signatures field. If you use the SHA-256 hash algorithm, you get the same value as if you dump the hashes of your keystore through Java 7+'s keytool command.

This leads to two potential problems:

1. You should get the same value for any app signed with the same signing keystore. To distinguish between apps, you would need to use different signing keystores. You might be doing that anyway.

2. The exact format of the byte[] of the Signature is undocumented, technically. It is possible that they might change what this is in the future. So, you might need version-dependent logic sometime down the road.

IMHO, your algorithm is not significantly better than just using getPackageName(), using the application ID.