Verify Android apk has not been repackaged?

Question

Looking to improved the security of my Android app to flag if the .apk has been extracted, modified, repacked and resigned. Here's article from Zdnet noting the issue link1.

The concern is if the app is targeted by hackers they could add malicious code and upload to an alternate app store and dupe users in to downloading it.

So I'm thinking code to verify a checksum of the apk or signing certificate?

I appreciate the app code could be repacked and any security code removed, but it does increase the difficulty of repacking it, maybe enough for them to try another app.

[update]I know the Google Play store licensing module offers something similar but I'm looking for something for non paid apps and other/non marketplaces.

Old question now, but since then I've researched it and recently wrote a blog post that includes the signature verification https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app — scottyab, Nov 20 '14 at 09:46
related https://android.stackexchange.com/questions/9312/how-can-i-verify-the-authenticity-of-an-apk-file-i-downloaded — Ciro Santilli OurBigBook.com, Nov 06 '17 at 17:59

score 3 · Accepted Answer · edited Dec 19 '19 at 08:33

3

I ended up using Dexguard (paid obfuscator for Android). It offers a module that preforms apk verification. It is simple to implement and offers better than average protection.

Here's the code to do the check:

dexguard.util.TamperDetection.checkApk(context)

The main issue is where to store the checksum of the apk to verify against given that it could to be replaced. The dexguard way is to check it locally but using other features like class/string encryption and api hiding obscure this call.

edited Dec 19 '19 at 08:33

camelCaseCoder

1,447
19
32

answered Aug 05 '13 at 08:39

scottyab

23,621
16
94
105

3

another issue could be the hacker replace/remove the dexguard check before they repackage the app – jackmis May 30 '18 at 04:05
i cant see tamperDetection even I add dexgurd too my app, should i add any library? thanks – Alireza Rabiei Jul 27 '20 at 08:53

score 2 · Answer 2 · edited May 23 '17 at 12:22

2

Here are some of the articles that could help you out.

Retrieving APK signature during runtime.
Self checking an APK signature.
How to check APK signature.

edited May 23 '17 at 12:22

Community

1
1

answered Oct 08 '12 at 16:09

Ragunath Jawahar

19,513
22
110
155

Thanks, those articles point to how to get the signature of the app form the PackageManager. However not how to verify it the correct one (i might be missing something really obvious.) – scottyab Oct 09 '12 at 14:53

score 0 · Answer 3 · answered Oct 08 '12 at 15:46

0

Use the Google licensing service It will connect with the play store to make sure the user purchased the app every few days. (you can set the amount) Also loook at ProGuard. It strips all the class, method, and variable names out of your code making it really hard to understand once its decompiled.

answered Oct 08 '12 at 15:46

kagronick

2,552
1
24
29

Thanks, I'm aware of the licensing service, but that's no good for non paid apps, I've updated the question. Also obfuscation is a good start but doesn't prevent decompile, agreed is does make it harder. – scottyab Oct 08 '12 at 15:52
Nor is it good enough for paid apps. Several apps uploaded on Aptoide have cracked the Google licensing. – beetree Feb 01 '15 at 05:12

Verify Android apk has not been repackaged?

3 Answers3

Linked