Android Code Snippet Get the APK signature at runtime

Erel

Administrator
Staff member
Licensed User
This code returns the SHA-1 hash of the signing key certificate used to sign the APK.
It is the same value that you can see under Tools - Private Sign Key:



You can use it to test whether someone has rebuilt your app and signed it with his own key.



B4X:
Sub GetSignatureHash As String
   Dim jo As JavaObject
   jo.InitializeContext
   Dim signatures() As Object = jo.RunMethodJO("getPackageManager", Null).RunMethodJO("getPackageInfo", _
     Array (Application.PackageName, 0x00000040)).GetField("signatures")
   Dim sig As JavaObject = signatures(0)
   Dim md As MessageDigest
   Dim hash() As Byte = md.GetMessageDigest(sig.RunMethod("toByteArray", Null), "SHA-1")
   Dim bc As ByteConverter
   Dim raw As String = bc.HexFromBytes(hash)
   Dim sb As StringBuilder
   sb.Initialize
   For i = 0 To raw.Length - 2 Step 2
     sb.Append(raw.CharAt(i)).Append(raw.CharAt(i + 1)).Append(":")     
   Next
   sb.Remove(sb.Length - 1, sb.Length)
   Return sb.ToString
End Sub
It depends on: JavaObject, Encryption and ByteConverter libraries.


Tags: apk signature, sha-1, hash
 

Erel

Administrator
Staff member
Licensed User
You can use it to protect your application.
This is a simple measure that can protect against simple hackers.

There are automatic tools that non-developers can use to crack certain elements in your app. You can use this signature to test whether the APK was modified or not.

More advanced hackers can workaround this test.
 

Informatix

Expert
Licensed User
You can use it to protect your application.
This is a simple measure that can protect against simple hackers.

There are automatic tools that non-developers can use to crack certain elements in your app. You can use this signature to test whether the APK was modified or not.
I really doubt that will protect anything. If someone modifies your app by hand (without a tool), the condition to check the signature will be removed too (why would he leave it?). Removing a condition is one of the easiest things to do. And if someone modify your app with a tool, what tool are you talking about? For what purpose? The last time I tried a tool to remove automatically the Google license check from my B4A app, it failed because B4A does not implement this protection exactly like standard Android apps. Anyway, as I explained in the ProBundle guide, it takes less than 10 minutes to remove it by hand, even when you know nothing to B4A. And there are websites to explain in details how to do, so...
 
Last edited:

Erel

Administrator
Staff member
Licensed User
The signature hash is used by Google and Firebase to help with the protection of their services (FirebaseAuth for example).

As I wrote it can help with very simple hack attempts.
It can be more than a simple condition:
B4X:
If signature = "..." = False Then ExitApplication
You can be creative and calculate a number from the signature and use it later in your program.
You can send it to your backend server as part of the request and validate it.

I agree that it is a weak protection. The main advantage is that it is trivial to add it to your app.
 

Informatix

Expert
Licensed User
You can be creative and calculate a number from the signature and use it later in your program.
You can send it to your backend server as part of the request and validate it.
If a hacker changes your code, it will test it afterwards and will notice there's something wrong so he will search what's the cause (the signature), then where the signature is used in the app. If a function converts your signature to anything else, it will replace the computed result by a constant with the right result, so any signature will be valid. If the signature is sent to a server, he will sent the original signature stored in a constant, not the modified one. The workarounds are very simple. Obfuscation may add a bit of difficulty to understand the code but that remains too simple even for an inexperienced hacker, IMO.

The main advantage is that it is trivial to add it to your app.
It's better than nothing, of course, as obfuscation is, but should not let people think that they are protected. As most protections, it's a really poor protection if you cannot protect the protection code itself.
 

Informatix

Expert
Licensed User
Is there any other good protection elsewhere?
Apart my ProBundle, which is a solid protection against the modification of your code and can encrypt some parts, you have the StarForce product which is maybe a good alternative (I cannot say because their solution did not work on my PC and I was unable to test it).
Note that using the signature is a good idea to check that the code is unmodified but the protection MUST protect also itself. If you can remove the protection, whatever method it uses, it does not protect anything.
 
Top