Android: Verifying the application's integrity on the server side

Question

I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device).

Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file?

Any hint is appreciated.

Regards, Peter

Answer 1

You are trying to address a known problem:

1. You can never trust an application on an open device (mobile phone, desktop computer). In order to trust it, it should be tamper proof. An example of such device is a SmartCard. Mobile devices are certainly not it.

2. You should never send data to device that user is not supposed to see. The implication of this is that all business logic must be done on the server.

3. All requests to the server should be authenticated with user's credentials (username/password) and made via a secure protocol (HTTPS/SSL).

Answer 2

In order to validate that your software is running, the client devices need to be able to provide remote attestation services, which is one of many piles of acronyms in the TPM world. I found that someone has been working on providing TPM services, including IBM's IMA, which is almost good enough for what you want.

Details here: http://www.vogue-project.de/cms/upload/vogueSoftware/Manual.pdf (Google Quickview).

Of course, this is emulating the TPM, and requires patching the Android kernel. But perhaps one of the various manufacturers would be willing to build a model with the TPM hardware included for you?

Answer 3

No way. Whatever is in user's hands, is not yours anymore. Even if you somehow manage to transfer the APK to the server for validation, nothing prevents the hacked program send an original copy to the server.