2

I'm creating an unlock app that will remove ads and unlock premium features in a few apps. My plan is to just call PackageManager and verify the unlock app is installed, and if it is, verify the signatures to ensure it's actually my application. I'm following this answer here: Detect if app was downloaded from Android Market

However, I guess I'm a little confused on what signature I'm verifying... It's my public key, correct? If so, how do I extract that from an existing app or keystore?

Community
  • 1
  • 1
IAmTheSquidward
  • 562
  • 6
  • 22

1 Answers1

9

The easiest way is to use the same signing key for both apps and then check in your main app if the unlock app is installed and was signed with same key using code like this:

    PackageManager manager = App.getContext().getPackageManager();
    bool unlockAppInstalled = manager.checkSignatures("<main app package name>, "<unlock app package name>") == PackageManager.SIGNATURE_MATCH;

unlockAppInstalled will only be true if the unlock app is installed and was signed with the same key.

HHK
  • 4,852
  • 1
  • 23
  • 40
  • I can't upvote yet, sorry! :( Anyway, this was perfect. Thanks! – IAmTheSquidward Jun 23 '14 at 19:22
  • What will happen if someone reverse engineers his original app and the sign it with his own signature and the creates a new app and again signs it with the same signature as the original app? Is that possible PLEASE HELP. – Rajesh K Feb 11 '19 at 10:43
  • @RajeshK Rajesh, yes, it's possible. It's better to check the hash of overall app or per app components (checking the integrity of DEX, SO, layout, ARSC, etc.) rather than just relying on signature. – FEBRYAN ASA PERDANA Apr 19 '21 at 16:03