堆栈内存溢出
  简体   繁体   English

获取Android库中源代码的校验和

[英]Get checksum of the source codes in Android library

 原文  2017-05-28 05:45:37       java/ android/ android-library/ dex/ android-security

问题描述

I am developing an android library and I want to apply a tamper-detection mechanism to my code, since it calls some sensitive financial web services. 我正在开发一个Android库,我想在我的代码中应用篡改检测机制,因为它调用了一些敏感的金融Web服务。

What I'm going to implement is to calculate the checksum of the apk ( or important parts of it), programmatically on the runtime, so I can prevent a repackaged or recompiled apk from being able to do any harm (tamper prevention). 我要实现的是在运行时以编程方式计算apk(或其重要部分)的校验和,这样我就可以防止重新打包或重新编译的apk能够造成任何伤害(防篡改)。

What I have come up with so far, is to calculate the checksum of the applicationInfo.publicSourceDir . 到目前为止我想出的是计算applicationInfo.publicSourceDir的校验和。 but I'm not sure what happens with the apps that have multiple dex files or multiple splitApks. 但我不确定具有多个dex文件或多个splitApks的应用程序会发生什么。

What is the most reliable way to calculate checksum based on the code-base of an application in Android, programmatically? 以编程方式基于Android应用程序的代码库计算校验和的最可靠方法是什么?

3 个解决方案

解决方案1
 2  2017-06-05 11:58:19

如果您通过游戏分发,您可以查看SafetyNet: https//developer.android.com/training/safetynet/index.html

解决方案2
 1  2017-06-05 01:30:55

The checksum approach can be applied to single file or zip files. 校验和方法可以应用于单个文件或zip文件。 It will be a lengthy process to check the checksum of all files. 检查所有文件的校验和将是一个漫长的过程。 I think you are in the wrong direction. 我认为你的方向错了。

Firstly, There is no clear solution to this problem. 首先,这个问题没有明确的解决方案。 Any app can be hacked - you can just make it hard to hack. 任何应用程序都可以被黑客攻击 - 你可以让它变得难以入侵。

This is what is done to make it hard - 这就是为了让它变得困难 -

  1. Encrypt the your apk - so that its hard to get to your source code. 加密你的apk - 这样很难找到你的源代码。 refer - APK to protect apk from reverse engineering - Check obfuscating tools. 推荐 - APK保护apk免受逆向工程 - 检查混淆工具。

  2. Use data encryption while sending/receiving data from WebService. 从WebService发送/接收数据时使用数据加密。 You can use HMAC to protect the data. 您可以使用HMAC来保护数据。 Make sure your server is smart enough to block user/requesting-apps in case there are multiple bad calls. 确保您的服务器足够智能,以阻止用户/请求应用程序,以防多个不良呼叫。 HMAC is easy to implement and there are libraries to generate HMAC keys. HMAC易于实现,并且有用于生成HMAC密钥的库。

解决方案3
 0  2017-06-06 05:56:22

Get the app signature which is tied to the certificate used to sign the APK 获取与用于签署APK的证书相关联的应用签名 

public static String getAppSignature(Context context) {
    try {
        for (Signature signature : context.getPackageManager().getPackageInfo(context.getPackageName(),
                PackageManager.GET_SIGNATURES).signatures) {
            MessageDigest md = MessageDigest.getInstance("SHA");
            md.update(signature.toByteArray());
            return Base64.encodeToString(md.digest(), Base64.DEFAULT);
        }
    } catch (Exception e) { /* Do nothing */ }
    return null;
}

This can be compared with a stored value to check if the signing certificate is the original or not. 这可以与存储值进行比较,以检查签名证书是否是原始证书。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 编译android源码,得到完整的android.jar源码 - Build the android source codes to get a Complete android.jar with source codes 如何在Android / Java中获取文件目录的MD5校验和 - How to get a file directory's MD5 checksum in Android/Java 找不到Android SDK中的某些.java源代码 - Some .java source codes from Android SDK not found 获取25英里半径Android的邮政编码 - Get zip codes in a 25 mile radius Android Android:自定义校验和计算 - Android : Custom Checksum Calculation android / java中的校验和计算 - Checksum calculation in android/java 如何示例android源代码比eclipse中的hello world android源代码小? - how sample android source codes are smaller than hello world android source code in eclipse? 获取jar文件的校验和 - Get checksum of a jar file 如何导入android开源库? - How to import android open source library? 在 Android 库中获取上下文 - Get Context in Android library
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM