stackoom
  简体   繁体   中英

Figuring out programmatically if a Java class was patched?

 原文  2018-11-17 10:03:48       java/ android/ security/ digital-signature/ checksum

Question

Is it possible to figure it out programmatically, if anybody patched a class of a compiled code, especially in Android? Example: My building (eg an .apk) contains a class PiracyCheck.class. Is it possible to run at compile time some kind of 'checksum' of that class (executed by another class)? I imagine that I get any value from it, let's say abcdefg. If anybody patches this class, the checksum would be suddenly 123456 instead of abcdefg. I verify the checksum on a backend server. If the checksum was correct, then proceed, if not, abort. or there any better solutions to achieve that?

(btw: If a cracker wants to repackage and resign the app, I would already be on the safe side, because I also check the signature, but I'm sure that anybody can bypass this check by decompiling and editing the bytecode itself, that means, a resign is not needed and the certificate won't change then).

1 answers

solution1
 0 ACCPTED  2018-11-17 11:20:21

You can do some of those things. But you can't put them together into a system that will prevent someone from running a "cracked" version of your code.

Is it possible to run at compile time some kind of 'checksum' of that class (executed by another class)?

If is possible to generate a cryptographic checksum of a class at compile time, record on the server side, or in the ".apk", or both.

It is also possible to compute the such checksum on the client side.

What you can't do is force either the Android platform, or the hacked ".apk" to generate a truthful checksum:

  • I don't think that the Android platform provides this functionality, and if it did, it could be subverted on a "rooted" device.

  • Naturally, if someone went to the trouble of hacking your ".apk", they could subvert any "self checksumming" code in the ".apk" to deliver the original checksum rather than the checksum of the actual code.

Either way, your server will see the checksum that it is expecting, rather than a valid checksum of the actual code. It will be fooled.

Basically, if you need to execute your code on a platform that is effectively in the control of the user, you cannot prevent the user from subverting your code. The best you can hope for is to make it hard work for someone with the appropriate skills to do this.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JAVA - Figuring out the difference figuring out what counts as an instruction in java code Java having trouble figuring out Quicksort Median of 3 Figuring out the real Java heap on AWS Fargate Figuring Out a Java Method in a Simple Pong Game Figuring out where to store local files in Java java: figuring out origin package of missing symbol Android / Java - Figuring out what the date will be Figuring out whether a number is a Double in Java I'm working on databases in my java class, and I need help figuring out how to update a specific value/column in the database
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM