CODEWITHSUNDEEP
androidsecurity
cybergeek654
cybergeek654

Reputation: 290

How to securly veify that an android app that is trying to connect to my backend server is my genuine app?

I have android app that connects to my backend server to fetch data. Right now, it serves as an open API.

Some one can modify my app, and still be able to connect to my backend server and get data. How can I SECURELY prevent it?

So in other words, I want that ONLY APKs that are signed by me be able to get service from my backend server. How this can be implemented?

Solution should not rely on signing in users. Users do not need to be registered to get service from the server.

[edit] Bonus Question: I publish source code of my app in GIT. So I do not have much options in hiding some keys inside the source code. Yet I want only the apps signed by me to be able to connect to my server. Is it possible?

Upvotes: 0

Views: 118

Answers (3)

Gopal
Gopal

Reputation: 1784

You can validate your certificate signature/private key (contained in a .keystore or .jks file) at your server for API call you want to secure.

1) embedded your app's signature in your API .

2) send signature as a parameter with API call from your app.

3) Check that the signature at runtime matches to your embedded developer signature and respond your request accordingly.

You can get signature runtime with:

public static String checkAppSignature(Context context) {
    try {
        PackageInfo packageInfo = context.getPackageManager()
                .getPackageInfo(context.getPackageName(),
                        PackageManager.GET_SIGNATURES);
        for (Signature signature : packageInfo.signatures) {
            byte[] signatureBytes = signature.toByteArray();
            MessageDigest md = MessageDigest.getInstance("SHA");
            md.update(signatureBytes);
            final String currentSignature = Base64.encodeToString(md.digest(), Base64.DEFAULT);
            //signature at runtime
            return currentSignature;
        }
    } catch (Exception e) {
        //something went wrong, let caller decide on what to do.
    }
    return "INVALID_SIGNATURE";
}

Upvotes: 1

Nikhil
Nikhil

Reputation: 3711

  1. Get certificate fingerprint from your app. follow this link. This fingerprint is generated from code so it can't be stolen by decompiling apk.
  2. You can send this fingerprint using POST API as POST data is encrypted.
  3. Verify this SHA on your server, if that matches then request is coming from your app.

Upvotes: 1

Pankaj Jadhav
Pankaj Jadhav

Reputation: 81

Differentiate your application access by unique customer-ID or Device-ID. Whenever your application is making requests verify those ID's on your server side.

Upvotes: 0

Related Questions