Android APK signature comparison to prevent software from being cracked

Original: http://wenjh.com /? P = 19

After the client software is released, it may be cracked and used by others. The target of cracking may be localization, advertisement removal, and addition of convenient functions. However, malicious modules may also be implanted. This problem also exists in androd.

Android applications must be signed before they are released. Assuming that the key used for signature is not disclosed or shared, we can think that when the cracked Android software is repackaged, its "signature" must be different from the official version.

What is this "signature?

You can decompress an APK if it is convenient. Open the extract directory, "META-INF" is where the signature content is saved. The source code of the signature process is here, and the core code starts from (line 1 ).

First, the signature program traverses all the files in the APK and uses the sha1 algorithm to obtain the "abstract information" of each file ". These summary information is recorded in the manifest. MF file in the META-INF directory. (170th rows)

Therefore, solution 1 is obtained: Check whether the summary information in manifest. mf is the same to determine whether the APK is modified. (The comparison sample is "official" APK, the same below)

The real "signature" is not started yet, because the public/private key is not used yet. The generation of manifest. MF provides a list of signatures with keys.

Next, the "summary information" of all files in manifest. MF will be encrypted using the private key. The encryption algorithm used is the "RSA" asymmetric encryption algorithm. The generated information is recorded in the file ending with ". SF" in the directory. (475th rows, 259th rows)

In the same way as solution 1, we can know whether the APK is tampered. If you do not use solution 2, continue the analysis.

Finally, the Public Key is encrypted and stored in the file ending with ". RSA" by using the PKCS #7 algorithm (specifically, the digital certificate containing public key and other related information is encrypted and saved. I searched for an article about public/private keys and digital certificates ). If the file is opened directly using a text reader, garbled characters are displayed. (483rd rows, 305th rows)
Solution 2: Determine whether the public key is consistent and whether the software is repackaged ".

Solution 2 looks simpler:

1. solution 1: Compare the summary information of all files in the APK one by one.

2. After the software is upgraded normally, the APK content will inevitably change. Therefore, the comparison of solution 1 can only be performed between the same version.

OK. The specific implementation of solution 1 is not discussed, because there is no technical difficulty after this idea.

Solution 2: How can I decode the ". RSA" file and extract the public key from it?

Here we need to introduce another source code file: packageparser. java.
The core code is the collectcertificates method, which clearly shows the process of public key resolution through digital certificates.

However, this class is added with the "hide" annotation, so it cannot be called directly, but these hidden APIs can be used with reflection.

The final method is as follows:

// Obtain the MD5 string public static string getapksignaturemd5 (string apkpath) throws exception {class clazz = Class. forname ("android. content. PM. packageparser "); Method parsepackagemethod = clazz. getmethod ("parsepackage", file. class, String. class, displaymetrics. class, Int. class); object packageparser = clazz. getconstructor (string. class ). newinstance (""); object packag = parsepackagemethod. invoke (Package Parser, new file (apkpath), null, getcontext (). getresources (). getdisplaymetrics (), 0x0004); Method collectcertificatesmethod = clazz. getmethod ("collectcertificates", class. forname ("android. content. PM. packageparser $ package "), Int. class); collectcertificatesmethod. invoke (packageparser, packag, packagemanager. get_signatures); signature msignatures [] = (signature []) packag. getclass (). getfield ("msignatures "). Get (packag); signature apksignature = msignatures. length> 0? Msignatures [0]: NULL; If (apksignature! = NULL) {// Description: Return stringutils. MD5 (apksignature. tocharsstring ();} return NULL ;}
If the currently running software needs to obtain its own public key information, you only need to obtain the APK location (after each software (not built-in) is installed, an APK file will be saved in/data/system ):
String path = context.getApplicationInfo()                     .publicSourceDir
The next thing is to find the timing for comparison. When and in what form.
We recommend that you start the comparison in some key steps (such as the first startup, successful installation, and login/registration of the program.
If it is a B/S structure program, it is recommended to put the comparison on the server. You can also choose to put it in native code for comparison (but it is easier to bypass it by modifying the code after cracking ).
If you have any questions in this article, you are welcome to correct them.
Original article, reproduced Please retain the Source: http://wenjh.com /? P = 19