0

I have an installed app & an APK file, and would like to verify that the installed app & the APK file are signed with the same certificate. The method I use is to compare the certificate serial number:

Get certificate serial number of installed app:

Signature sig = context.getPackageManager().getPackageInfo("com.myapp", PackageManager.GET_SIGNATURES).signatures[0];
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(sig.toByteArray()));
Log.d(TAG, "SerialNumber: " + cert.getSerialNumber().toString(16));

Get certificate serial number of APK file:

unzip -p build/android/bin/MyApp.apk META-INF/*.RSA | keytool -printcert | grep Serial

So I receive the serial number something like this: 4f277710

I want to know if this method is good enough, or are there any other better ways?

user1784450
  • 53
  • 7

1 Answers1

0

This is a great read https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app. In this post Scott Alexander talks about how you can verify a apk by comparing the certificate the app is currently signed with, with the one it should be. This post will hopefully guide you in the right direction.

Programming4life
  • 350
  • 2
  • 9
  • Well this is a good read to implement tampering prevention, however it doesn't help much in achieving what I'm trying to do. I try to compare the certificate of installed apps with the corresponding APK file (for every apps). Using serial number of the certificate doesn't seem good enough for me. – user1784450 Mar 06 '15 at 03:12
  • I tried to compare the certificate MD5 fingerprint instead. Using code from http://stackoverflow.com/a/9294410/1784450 and instead of getting the digest of the public key, I get the digest of the certificate itself & able to match it with the fingerprint produced by keytool. Perhaps comparing MD5 fingerprint is better? – user1784450 Mar 06 '15 at 03:15