2

Given that we have an APK file, accessible on an Android device on the filesystem, how can we, from another Android app:

  • Confirm that the APK file has not been tampered with (that its digital signature matches its contents)?

  • Get the public key information (specifically, the same sort of SHA256 hash that keytool -list -printcert -jarfile test.apk would emit on a development machine)?

Note that this APK has not been installed at this point, so we cannot use PackageManager to retrieve the "signatures" of the installed app, nor can we rely on Android having validated the APK signature for us.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • May be the answers over here can help you: http://stackoverflow.com/q/7104624/4350275 – Prerak Sola Oct 17 '16 at 14:09
  • @PrerakSola: That code is for running on a developer machine. It is not for running on Android itself, which is what this question is focused on. Thanks, though! – CommonsWare Oct 17 '16 at 14:29
  • 1
    You should be able to use [PackageParser.java](https://github.com/android/platform_frameworks_base/blob/master/core/java/android/content/pm/PackageParser.java) code ...fx: you can read certs like [this](https://gist.github.com/SelvinPL/fe855fb4d12f08a8d6b3becffdc7c458) then compare it with META-INF/CERT.SF – Selvin Oct 17 '16 at 15:26
  • @Selvin: That has potential. I knew the AOSP had to have code that did this sort of thing, but I wasn't sure where. Thanks! – CommonsWare Oct 17 '16 at 15:27

1 Answers1

0

I totally whiffed on this. PackageManager has a getPackageArchiveInfo() method, available since API Level 1.

So, you call that, passing in the path to the APK, along with PackageManager.GET_SIGNATURES. If you get null back, the APK was tampered with and does not have valid digital signature. If you get a PackageInfo back, it will have the "signatures", which you can use for comparison purposes.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491