Android Security App Signature Verification

<span id="Label3"></p><p><p></p></p>Android Security App Signature Verification<p><p>Sometimes we need to make sure that an application is the one that we want to launch to ensure the security of inter-application Communication. This sounds a bit around, as illustrated by a concrete example.</p></p><p><p><br></p></p><p><p>If a company a makes a payment application payapp, the package name is "com.testa.pay". As the payment application market gets bigger, they want to open up their interfaces to other companies so that their companies get more cash FLOW.</p></p><p><p><br></p></p><p><p>First of all, the company B that wants to integrate Payapp needs to register with company a, after the successful registration a company assigns to Company B three things, a unique id, a public key, a private key. These three messages are sensitive and cannot be disclosed to companies other than company A and company B.</p></p><p><p><br></p></p><p><p>When a third-party application wants to invoke payapp, it needs to pass in the three parameters allocated above to Payapp,payapp to interact with the a Company's payment gateway and then deliver the payment results to the Caller.</p></p><p><p><br></p></p><p><p>If at this time, a hacker has developed a malicious application, and the package name to get the same as Payapp. Then he removed the Payapp from the phone, loaded his own application, then when the application of company B called the payment interface again, it passed all the information to the Hacker's own application!</p></p><p><p><br></p></p><p><p>Company A in order to prevent this, specifically developed a payment sdk, called "paysdk", the SDK will call Payapp before the Payapp signature is verified, when the validation passed, the data will be passed to Payapp. then, all Third-party apps that want to invoke the Payapp interface need to inherit the payment Sdk. This will prevent information from being Stolen.</p></p><p><p><br></p></p><p><p>The following details describe the process of signature verification:</p></p><p><p><br></p></p><p><p>first, we need to have a basic understanding of the Android app Signature:</p></p><p><p>1. Any app installed on Android device has been signed, even if the debug state app has been signed with debug Keystore.</p></p><p><p>2. Applications that need to be published must be signed with the KeyStore of Release.</p></p><p><p>3. A company's release keystore should only be used on its own and cannot be disclosed to other people living in the Company.</p></p><p><p>4. An app may have multiple Signatures.</p></p><p><p><br></p></p><p><p>For information on how to generate keystore, and to sign an app, you can view the official website Tutorial: http://developer.android.com/intl/zh-cn/tools/publishing/app-signing.html</p></p><p><p><br></p></p><p><p>We ensure its integrity by comparing the hash value of the signature, so we should get the hash value of the corresponding signature of the release KeyStore before doing so before the program Runs. For the hash value of the signature, we can use the following code to Obtain:</p></p><p><p><br></p></p><p><p><br></p></p> <table style="border-collapse:collapse;width:100%;table-layout:fixed;margin-left:0px;"> <tbody> <tr> <td style="border-style:solid;border-width:1px;border-color:rgb(219,219,219);padding:10px;margin:0px;width:100%;"><p><p>PackageInfo pkgInfo;</p></p><p><p>try {</p></p><p><p>PkgInfo = Mactivitycontext.getpackagemanager (). getpackageinfo (targetpkg, packagemanager.get_signatures);</p></p><p><p>} catch (packagemanager.namenotfoundexception E) {</p></p><p><p>Toast.maketext (mactivitycontext, "the Target package was not found!", toast.length_short). show ();</p></p><p><p>E.printstacktrace ();</p></p><p><p>Return</p></p><p><p>}</p></p><p><p>For (Signature signature:pkgInfo.signatures) {</p></p><p><p>try {</p></p><p><p>LOG.I (TAG, "hash:" + base64.encodetostring (messagedigest.getinstance ("SHA"). Digest (signature.tobytearray ()), base64.no_wrap));</p></p><p><p>} catch (nosuchalgorithmexception E) {</p></p><p><p>E.printstacktrace ();</p></p><p><p>}</p></p><p><p>}</p></p></td> </tr> </tbody> </table><p><p><br></p></p><p><p><br></p></p><p><p>In the above code, "targetpkg" should be replaced with the package name of the app you want to Get. After the code runs, the log output is as Follows:</p></p><p><p><br></p></p> <table style="border-collapse:collapse;width:100%;table-layout:fixed;margin-left:0px;"> <tbody> <tr> <td style="border-style:solid;border-width:1px;border-color:rgb(219,219,219);padding:10px;margin:0px;width:100%;"><p>04-28 13:30:34.259 1123-1123/com.zlsam.signchecher i/mainactivity:hash:6qx30i5kpx4agieolkla75oo+za=</p></td> </tr> </tbody> </table><p><p><br></p></p><p><p>Here our paysdk need to record the string that follows the "hash:", in this case "6qx30i5kpx4agieolkla75oo+za=". An app may have multiple signatures, so we need to record and compare all the Signatures.</p></p><p><p><br></p></p><p><p>then, when the Third-party app pays through the PAYSDK call, PAYSDK first obtains all of the signature hashes of the app package "com.testa.pay" through the above code, and then checks whether the dynamically obtained hash values are in the previously recorded Hash. If yes, then the validation passes, otherwise the validation fails.</p></p><p><p><br></p></p><p><p>This article is from the "technical summary" blog, please be sure to keep this source http://9797337.blog.51cto.com/9787337/1768569</p></p><p><p>Android Security App Signature Verification</p></p></span>