Reputation: 9894
Validating app's release signature key runtime for security reasons?
I would like to force close my app and open my app's official Play Store page if it was installed from a third party app store.
The idea would be that I simply check the last five characters of my key signature runtime with this code:
public static String getSpecHashSuffix(Context ctx) {
String hash = "";
String ret = "";
try {
PackageInfo info = ctx.getPackageManager().getPackageInfo(ctx.getPackageName(), PackageManager.GET_SIGNATURES);
for (Signature signature : info.signatures) {
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(signature.toByteArray());
//removing spec characters
hash = Base64.encodeToString(md.digest(), Base64.DEFAULT).replaceAll("/", "").replaceAll("=", "").replaceAll("\\+", "");
//removing numbers
hash = hash.replaceAll("\\d", "");
//removing new lines
hash = hash.replaceAll("\n", "");
//lowercasing
hash = hash.toLowerCase();
ret = "" + hash.charAt(hash.length() - 5) + hash.charAt(hash.length() - 4) + hash.charAt(hash.length() - 3) + hash.charAt(hash.length() - 2) + hash.charAt(hash.length() - 1);
}
} catch (Exception e) {
e.printStackTrace();
}
return ret;
}
The returned String is something like this: "abcde".
I would simply check this String against a constant in the code with the very same value.
If they are not the same, I would force close the app and open the app's official Play Store page with an intent.
Is this possible to do so? Is it safe? Can it be bypassed? Am I thinking this right and this actually do what I want?
Upvotes: 2
Views: 276
Answers (1)
Reputation: 1006724
Is this possible to do so?
If you are asking if you can read your own app's signature, compute a hash of it, and compare it to a known value, yes. Personally, I'd use SHA-256.
Is it safe?
I do not know what that means in this context, sorry.
Can it be bypassed?
Sure. Whoever repackaged your app could change the constant that you are comparing with your hash, so that the revised constant matches the revised hash. Or, they could remove your call to this function in its entirety.
I like validating the signature of another app from yours, such as for confirming that a third-party app really is the right app and not an imposter. Checking your own signature might catch some unskilled attackers, but that's it.
Am I thinking this right and this actually do what I want?
Technically, your code is unrelated to your stated concern:
I would like to force close my app and open my app's official Play Store page if it was installed from a third party app store.
What you are attempting to detect is if somebody repackaged your app, replacing your signature with theirs, perhaps as part of modifying the content of the app. A third-party app store could be distributing a repackaged app, but they could just as easily be distributing the same APK that you are distributing via the Play Store.
Upvotes: 1
Related Questions
- How do I verify that an Android apk is signed with a release certificate?
- Pre-installed Android APK - allow Google Play updates with App Signing
- Checking app release signature at runtime -- chicken and egg?
- Security considerations when using Google Play App Signing
- Self-checking an APK's signature
- Verifying Android Code Signing
- "Package file was not signed correctly" error -- detect whether or not it will happen with Google Play app apk
- Verify Android app signature with public key?
- Using app signature as secret key?
- Question about Signing Application for Android