Thursday, November 10, 2011

Re: [android-developers] APK Signature Certificate Check

On Fri, Nov 11, 2011 at 11:21 AM, Sheado <chadata@gmail.com> wrote:
>
> Currently I have something in place where I get the PackageInfo's
> signatures (e.g. getPackageManager().getPackageInfo) and feed them
> into X509Certificate which i use to check the issuer DN.
>
> This will at least tell me that the DN changed, but that's obviously
> easily to get around.
> What's the proper way to go about checking the package signature with
> a remote service?

Use MessageDigest to calculate the SHA1 hash of the certificate blob.
Then send this to a server and compare with the hash of your own
certificate. Anyone can create a certificate with any DN, so checking
the DN buys you nothing.

Of course, if they are modifying your package, they can disable the
checking code...

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en

No comments:

Post a Comment