Android Code Snippet Get the APK signature at runtime

Discussion in 'Code Snippets' started by Erel, Aug 30, 2016.

  1. Erel

    Erel Administrator Staff Member Licensed User

    This code returns the SHA-1 hash of the signing key certificate used to sign the APK.
    It is the same value that you can see under Tools - Private Sign Key:

    [​IMG]

    You can use it to test whether someone has rebuilt your app and signed it with his own key.

    [​IMG]

    Code:
    Sub GetSignatureHash As String
       
    Dim jo As JavaObject
       jo.InitializeContext
       
    Dim signatures() As Object = jo.RunMethodJO("getPackageManager"Null).RunMethodJO("getPackageInfo", _
         
    Array (Application.PackageName, 0x00000040)).GetField("signatures")
       
    Dim sig As JavaObject = signatures(0)
       
    Dim md As MessageDigest
       
    Dim hash() As Byte = md.GetMessageDigest(sig.RunMethod("toByteArray"Null), "SHA-1")
       
    Dim bc As ByteConverter
       
    Dim raw As String = bc.HexFromBytes(hash)
       
    Dim sb As StringBuilder
       sb.Initialize
       
    For i = 0 To raw.Length - 2 Step 2
         sb.Append(raw.CharAt(i)).Append(raw.CharAt(i + 
    1)).Append(":")     
       
    Next
       sb.Remove(sb.Length - 
    1, sb.Length)
       
    Return sb.ToString
    End Sub
    It depends on: JavaObject, Encryption and ByteConverter libraries.


    Tags: apk signature, sha-1, hash
     
  2. wonder

    wonder Expert Licensed User

    What can be done with such information?
    Any practical examples?
     
  3. Erel

    Erel Administrator Staff Member Licensed User

    You can use it to protect your application.
    This is a simple measure that can protect against simple hackers.

    There are automatic tools that non-developers can use to crack certain elements in your app. You can use this signature to test whether the APK was modified or not.

    More advanced hackers can workaround this test.
     
    somed3v3loper and wonder like this.
  4. Informatix

    Informatix Expert Licensed User

    I really doubt that will protect anything. If someone modifies your app by hand (without a tool), the condition to check the signature will be removed too (why would he leave it?). Removing a condition is one of the easiest things to do. And if someone modify your app with a tool, what tool are you talking about? For what purpose? The last time I tried a tool to remove automatically the Google license check from my B4A app, it failed because B4A does not implement this protection exactly like standard Android apps. Anyway, as I explained in the ProBundle guide, it takes less than 10 minutes to remove it by hand, even when you know nothing to B4A. And there are websites to explain in details how to do, so...
     
    Last edited: Aug 31, 2016
    NJDude likes this.
  5. Erel

    Erel Administrator Staff Member Licensed User

    The signature hash is used by Google and Firebase to help with the protection of their services (FirebaseAuth for example).

    As I wrote it can help with very simple hack attempts.
    It can be more than a simple condition:
    Code:
    If signature = "..." = False Then ExitApplication
    You can be creative and calculate a number from the signature and use it later in your program.
    You can send it to your backend server as part of the request and validate it.

    I agree that it is a weak protection. The main advantage is that it is trivial to add it to your app.
     
  6. Informatix

    Informatix Expert Licensed User

    If a hacker changes your code, it will test it afterwards and will notice there's something wrong so he will search what's the cause (the signature), then where the signature is used in the app. If a function converts your signature to anything else, it will replace the computed result by a constant with the right result, so any signature will be valid. If the signature is sent to a server, he will sent the original signature stored in a constant, not the modified one. The workarounds are very simple. Obfuscation may add a bit of difficulty to understand the code but that remains too simple even for an inexperienced hacker, IMO.

    It's better than nothing, of course, as obfuscation is, but should not let people think that they are protected. As most protections, it's a really poor protection if you cannot protect the protection code itself.
     
    NJDude likes this.
  7. AscySoft

    AscySoft Active Member Licensed User

    Is there any other good protection elsewhere?
     
  8. Informatix

    Informatix Expert Licensed User

    Apart my ProBundle, which is a solid protection against the modification of your code and can encrypt some parts, you have the StarForce product which is maybe a good alternative (I cannot say because their solution did not work on my PC and I was unable to test it).
    Note that using the signature is a good idea to check that the code is unmodified but the protection MUST protect also itself. If you can remove the protection, whatever method it uses, it does not protect anything.
     
    alimanam3386 and wonder like this.
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice