1

I would like to implement security check - signature verification of application (or dex file) to verify that unmodified application uses my shared native library (*.so) build with NDK. I would like to perform all signature checks directly in C++, without Java. Currently I found out that it is possible to access apk file here: /data/app/--1/base.apk. From apk file I guess it's possible to get contents of original dex file probably even without extraction as apk file is aligned.

  1. Does anyone know how to read dex file without extraction from apk?

I say original dex file because if I understand correctly (and correct me if I'm wrong) dex file is converted into ELF shared object when apk is installed - binary executable specific to architecture of device. That was the reason why I was not able to check/verify signature of *.dex file listed in /proc/self/maps (example: /data/dalvik-cache/x86/data@app@com.asdf.pkg@base.apk@classes.dex) because it's not possible to know signature at compile time because dex file will be changed.

I know the method of checking original dex file is not very secure because I think it could be bypassed on rooted device easily by replacing optimized dex file - just run dex2oat on custom dex file and place it in (/data/dalvik-cache/...).

  1. Is there any other better method to check if application is original from native library using plain C++? (without calling Java through JNI)
jozols
  • 560
  • 7
  • 22

1 Answers1

1
  1. Does anyone know how to read dex file without extraction from apk?

Offhand, I can't think of a way to do this.

  1. Is there any other better method to check if application is original from native library using plain C++? (without calling Java through JNI)

I can think of several (and they're all mad as a hatter):

  1. Do a hash of the APK and compare against the hash on an external web server. Can't hardcode the hash, as doing that changes the hash. This should be the easiest. For bonus points, save it locally, so future runs will not require a network connection.
  2. Embed jarsigner in your app. Put it in your assets folder and call it from the native using exec or whatever C++ uses. Hosting an executable within Android application says that it's possible to do. Oracle documentation of jarsigner says that self signed jars output UNKNOWN for the publisher. It's unlikely that someone will upload the app to Google Play, but in theory they could sign it with an authentic certificate, so not sure if this is really secure. Then again, you should be able to check it's signed with your certificate.

It may fail for silly people like me, who use an Intel based device.

  1. Fire and brimstone. Unzip with zlib and check certificate with OpenSSL. I would seriously consider a career change before trying this, but then, I'm not a fan of C/C++.
Community
  • 1
  • 1
Roy Falk
  • 1,685
  • 3
  • 19
  • 45
  • For application authentication I actually ended up using something similar as in your last point. I hardcoded in Native library public certificate found inside of META-INF/CERT.RSA and used zlib to extract APK and compare embedded value with one found in actual APK. Actually embedded value string is encrypted. No OpenSSL was needed here. Attacker has to attack (for example debug) binary Native library to bypass this check which is what I wanted. META-INF/CERT.RSA in APK can't be faked - Android ensures this. – jozols Apr 06 '17 at 17:51