CODEWITHSUNDEEP
javaandroidandroid-librarydexandroid-security
Farhad
Farhad

Reputation: 12986

Get checksum of the source codes in Android library

I am developing an android library and I want to apply a tamper-detection mechanism to my code, since it calls some sensitive financial web services.

What I'm going to implement is to calculate the checksum of the apk ( or important parts of it), programmatically on the runtime, so I can prevent a repackaged or recompiled apk from being able to do any harm (tamper prevention).

What I have come up with so far, is to calculate the checksum of the applicationInfo.publicSourceDir. but I'm not sure what happens with the apps that have multiple dex files or multiple splitApks.

What is the most reliable way to calculate checksum based on the code-base of an application in Android, programmatically?

Upvotes: 15

Views: 2746

Answers (3)

Gaurav
Gaurav

Reputation: 559

The checksum approach can be applied to single file or zip files. It will be a lengthy process to check the checksum of all files. I think you are in the wrong direction.

Firstly, There is no clear solution to this problem. Any app can be hacked - you can just make it hard to hack.

This is what is done to make it hard -

  1. Encrypt the your apk - so that its hard to get to your source code. refer - APK to protect apk from reverse engineering - Check obfuscating tools.

  2. Use data encryption while sending/receiving data from WebService. You can use HMAC to protect the data. Make sure your server is smart enough to block user/requesting-apps in case there are multiple bad calls. HMAC is easy to implement and there are libraries to generate HMAC keys.

Upvotes: 1

Kanchu
Kanchu

Reputation: 3809

Get the app signature which is tied to the certificate used to sign the APK

public static String getAppSignature(Context context) {
    try {
        for (Signature signature : context.getPackageManager().getPackageInfo(context.getPackageName(),
                PackageManager.GET_SIGNATURES).signatures) {
            MessageDigest md = MessageDigest.getInstance("SHA");
            md.update(signature.toByteArray());
            return Base64.encodeToString(md.digest(), Base64.DEFAULT);
        }
    } catch (Exception e) { /* Do nothing */ }
    return null;
}

This can be compared with a stored value to check if the signing certificate is the original or not.

Upvotes: 0

ligi
ligi

Reputation: 39539

If you distribute via play you might have a look into SafetyNet: https://developer.android.com/training/safetynet/index.html

Upvotes: 2

Related Questions