Android: how to get calling application developer's public key

Question

I have following situation. Another application is calling mine (using startActivityForResult). Since I have to be sure that the calling activity comes from developer I trust I'd like to read the developer public key and compare it with value that is hardcoded in my app. I tried following:

String packageName = callingActivity.getPackageName();
String signature = null;
try {
     PackageInfo pi = manager.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
     // assumption: get the first available signature
     // actually according to Google for applications there will be always one element
     signature = pi.signatures[0]. toCharsString();
}

But this gives me application (not developer) signature.

I doubt there can be an API for that, since it would break security — Mixaz, Nov 14 '14 at 10:17
Seems I'm wrong, since it's OK to share the public key. Please disregard my comment — Mixaz, Nov 14 '14 at 10:22

score 2 · Answer 1 · edited May 23 '17 at 10:26

2

Use android custom permissions for this purpose. By defining a permission in your application, you can restrict other apps that use your activity/service unless they have a uses-permission in their manifest. Read this for more info :

http://developer.android.com/training/articles/security-tips.html#Permissions

For an example:

https://stackoverflow.com/a/8817231/607968

edited May 23 '17 at 10:26

Community

1
1

answered Nov 14 '14 at 10:16

rDroid

4,875
3
25
30

Not really an option for me. Couple of reasons, but the main is: http://commonsware.com/blog/2014/08/04/custom-permission-vulnerability-l-developer-preview.html – Marcin Nov 14 '14 at 11:38

Android: how to get calling application developer's public key

1 Answers1