stackoom
  简体   繁体   中英

Get checksum of the source codes in Android library

 原文  2017-05-28 05:45:37       java/ android/ android-library/ dex/ android-security

Question

I am developing an android library and I want to apply a tamper-detection mechanism to my code, since it calls some sensitive financial web services.

What I'm going to implement is to calculate the checksum of the apk ( or important parts of it), programmatically on the runtime, so I can prevent a repackaged or recompiled apk from being able to do any harm (tamper prevention).

What I have come up with so far, is to calculate the checksum of the applicationInfo.publicSourceDir . but I'm not sure what happens with the apps that have multiple dex files or multiple splitApks.

What is the most reliable way to calculate checksum based on the code-base of an application in Android, programmatically?

3 answers

solution1
 2  2017-06-05 11:58:19

如果您通过游戏分发,您可以查看SafetyNet: https//developer.android.com/training/safetynet/index.html

solution2
 1  2017-06-05 01:30:55

The checksum approach can be applied to single file or zip files. It will be a lengthy process to check the checksum of all files. I think you are in the wrong direction.

Firstly, There is no clear solution to this problem. Any app can be hacked - you can just make it hard to hack.

This is what is done to make it hard -

  1. Encrypt the your apk - so that its hard to get to your source code. refer - APK to protect apk from reverse engineering - Check obfuscating tools.

  2. Use data encryption while sending/receiving data from WebService. You can use HMAC to protect the data. Make sure your server is smart enough to block user/requesting-apps in case there are multiple bad calls. HMAC is easy to implement and there are libraries to generate HMAC keys.

solution3
 0  2017-06-06 05:56:22

Get the app signature which is tied to the certificate used to sign the APK 

public static String getAppSignature(Context context) {
    try {
        for (Signature signature : context.getPackageManager().getPackageInfo(context.getPackageName(),
                PackageManager.GET_SIGNATURES).signatures) {
            MessageDigest md = MessageDigest.getInstance("SHA");
            md.update(signature.toByteArray());
            return Base64.encodeToString(md.digest(), Base64.DEFAULT);
        }
    } catch (Exception e) { /* Do nothing */ }
    return null;
}

This can be compared with a stored value to check if the signing certificate is the original or not.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Build the android source codes to get a Complete android.jar with source codes How to get a file directory's MD5 checksum in Android/Java Some .java source codes from Android SDK not found Get zip codes in a 25 mile radius Android Android : Custom Checksum Calculation Checksum calculation in android/java how sample android source codes are smaller than hello world android source code in eclipse? Get checksum of a jar file How to import android open source library? Get Context in Android library
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM