Pages

getteammates.com

Monday, 16 February 2015

Signature verification of android application

Get the SHA1 key for the signature

First step in verification of the signature is to retrieve the SHA1 key for the keystore.
This can be done using keytool.

The command to run on the debug keystore is given below,

keytool -list -v -keystore debug.keystore  -alias androiddebugkey -storepass android -keypass android

The keys will be listed under the Certificate fingerprints section.
Certificate fingerprints:
         MD5:  
         SHA1: 
         Signature algorithm name: SHA1withRSA
         Version: 3

Verification for the signature

Verification of the signature can be done in the main Activity class or Application class.
The verification is done by retrieving SHA1 for the application and comparing it against the one that we obtained by running the keytool command.


static final byte signatureSha1[] = { /* SHA1 key obtained from keytool */};

@Override
protected void onCreate(Bundle savedInstanceState)
{   super.onCreate(savedInstanceState);
    boolean validSignature = false;
    try
    {   // Retrieve the sha1 algorithm
        MessageDigest sha1Alg = MessageDigest.getInstance("SHA1");
        try
        {   // Retrieve the package info, package info contains the signatures
            PackageInfo packageInfo = getPackageManager().getPackageInfo(getPackageName(),
                                      PackageManager.GET_SIGNATURES);
            // For all the signed signature check for the signature obtained using key tool
for (Signature signature : packageInfo.signatures)
            {   // Retrieve the hash for the signature
                byte[] hash = sha1Alg.digest(signature.toByteArray());
                // Compare it against the one obtained using keytool
                if (Arrays.equals(hash, signatureSha1))
                {   validSignature = true;
                    break;
                }
            }
        }
        catch (NameNotFoundException e)
        {   throw new RuntimeException(e);
        }
    }
    catch (NoSuchAlgorithmException e)
    {   throw new RuntimeException(e);
    }

    if (!validSignature)
    {   throw new RuntimeException("Invalid Signature");
    }

    // Complete the activity initialization here
}

No comments:

Post a Comment