15

I am developing an android library and I want to apply a tamper-detection mechanism to my code, since it calls some sensitive financial web services.

What I'm going to implement is to calculate the checksum of the apk ( or important parts of it), programmatically on the runtime, so I can prevent a repackaged or recompiled apk from being able to do any harm (tamper prevention).

What I have come up with so far, is to calculate the checksum of the applicationInfo.publicSourceDir. but I'm not sure what happens with the apps that have multiple dex files or multiple splitApks.

What is the most reliable way to calculate checksum based on the code-base of an application in Android, programmatically?

Farhad
  • 12,178
  • 5
  • 32
  • 60
  • someone can tamper the app in a way that circumvents the tamper detection mechanism (just thinking out loud) – nandsito May 30 '17 at 09:32
  • we want to prevent the apk repackaging attack with the harmful dex, even if the signing remains unchanged – Farhad May 30 '17 at 10:03
  • @FarhadFaghihi refer this, https://stackoverflow.com/questions/9293019/get-certificate-fingerprint-from-android-app. one can find certificate fingerprint of the application – Calvin Aug 03 '17 at 06:14

3 Answers3

2

If you distribute via play you might have a look into SafetyNet: https://developer.android.com/training/safetynet/index.html

ligi
  • 39,001
  • 44
  • 144
  • 244
  • Is distributing through play store mandatory ? The docs doesn't say anything about distribution policy for this API. Also, the consumer app of my lib may have been downloaded from other local markets – Farhad Jun 05 '17 at 12:01
  • Yea - AFAIK it depends on play-services - but to be honest I never used this particular API myself - was just reading about it – ligi Jun 05 '17 at 14:56
1

The checksum approach can be applied to single file or zip files. It will be a lengthy process to check the checksum of all files. I think you are in the wrong direction.

Firstly, There is no clear solution to this problem. Any app can be hacked - you can just make it hard to hack.

This is what is done to make it hard -

  1. Encrypt the your apk - so that its hard to get to your source code. refer - APK to protect apk from reverse engineering - Check obfuscating tools.

  2. Use data encryption while sending/receiving data from WebService. You can use HMAC to protect the data. Make sure your server is smart enough to block user/requesting-apps in case there are multiple bad calls. HMAC is easy to implement and there are libraries to generate HMAC keys.

Gaurav
  • 559
  • 4
  • 8
  • "Encrypt the your apk" - This is really vague and really different from code obfuscation. – GMX Apr 23 '19 at 15:17
0

Get the app signature which is tied to the certificate used to sign the APK

public static String getAppSignature(Context context) {
    try {
        for (Signature signature : context.getPackageManager().getPackageInfo(context.getPackageName(),
                PackageManager.GET_SIGNATURES).signatures) {
            MessageDigest md = MessageDigest.getInstance("SHA");
            md.update(signature.toByteArray());
            return Base64.encodeToString(md.digest(), Base64.DEFAULT);
        }
    } catch (Exception e) { /* Do nothing */ }
    return null;
}

This can be compared with a stored value to check if the signing certificate is the original or not.

Kanchu
  • 3,721
  • 1
  • 15
  • 14