1

I want to detect any tampering in the APK file and validate the App or Built integrity. When I searched online I got this solution from official sources - https://developer.android.com/google/play/integrity/overview

However it looks little too much to implement and involves changes on the server side as well. Hence I looked into another solution i.e finding out the signature of current keystore that is used to sign my Application and send it to the backend(which already has the original signature before uploading the build to PlayStore) to validate.

Sample code:

SigningInfo signingInfo = getPackageManager()
              .getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES)
              .signingInfo;
signingInfo.getApkContentsSigners();
//Send the information to backend to check if matches our original release.keystore signature
  1. Is there is any downside to the above simple code to check for APK integrity?
  2. If there aren't any then - What is the reason Goggle recommends Play Integrity API instead of this simple solution
Housefly
  • 4,324
  • 11
  • 43
  • 70
  • You forgot to mention it, but I assume your question is about checking the integrity of your own app, not checking app integrity of third part/all apps on a device. In such a case checking the signature would be a first step to detect if your app has been repackaged/modified/resigned. However using apktool it would take me about 5 minutes to patch your app and make this check always return the expected signer information. – Robert Sep 04 '22 at 10:43
  • Your are right @Robert, this is to check that my own app is not modified. As per your comment - `How do you know what is the expected signer information?` I would be storing that in my backend database and checking it within my login/signup APIs. – Housefly Sep 04 '22 at 11:11
  • The APK signature is an information any app can access or that you can easily extract from your APK file(s). So if I have the original APK file(s) of your app I have the signature. So it is possible to save the signature as binary dump and when decompiling the app using apktool you can insert those bytes as static byte array, construct the Signature instance and I have the same data `signingInfo.getApkContentsSigners();` returns. So no matter what signature the app uses it will return signature you expect. – Robert Sep 04 '22 at 11:15
  • Got it. I know nothing is 100% foolproof, but I am assuming you are saying - Checking the signing info is very basic and using Play Integrity is more robust? – Housefly Sep 04 '22 at 11:29
  • If I understand it correctly the integrity check is performed by Google Play Services and Google Backend server and the verify result comes from Google backend server not the app, so it is much harder to fake. – Robert Sep 04 '22 at 12:24

1 Answers1

3

Your Problem

However it looks little too much to implement and involves changes on the server side as well.

Securing a mobile app is a very complex task and when done only on the client side allows for an attacker to bypass any decision made regarding its integrity.

Attackers can use reverse engineer techniques to decompile your mobile app and tamper with it or they can use an instrumentation framework to hook into your code at runtime to change its behaviour and/or extract whatever its required to then automate attacks against the mobile app backend.

Some very popular open source tools exist to make reverse engineering easier:

MobSF - Mobile Security Framework

Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.

Frida:

Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

To account for the use of such reverse engineer tecniques any decisions made about the integrity of a mobile app and device its running on always need to be performed on the backend based on measurements/challenges taken/executed from/in the mobile app and device its running on.

Hence I looked into another solution i.e finding out the signature of current keystore that is used to sign my Application and send it to the backend(which already has the original signature before uploading the build to PlayStore) to validate.

An attacker can easily perform a MitM attack to intercept this request and then extract this signature you are sending to the backend. From here it will be trivial for the attacker to impersonate your mobile app when doing API requests to your API backend. You can learn how to do a MitM attack on your own mobile to try by yourself to extract its signature, and I can help you with that by pointing you to my article Steal that Api Key with a Man in the Middle Attack:

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

While my article is to extract the API key, the steps are the same for extracting your app signature from the API request.

Sample code:

SigningInfo signingInfo = getPackageManager()
             .getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES)
             .signingInfo;
signingInfo.getApkContentsSigners();
//Send the information to backend to check if matches our original >release.keystore signature
  1. Is there is any downside to the above simple code to check for APK integrity?

I already mention the MitM attack as a way of extracting the signature being sent to the backend, but an attacker can also resort to use Frida to hook at runtime into the function with this code and extract the signature. The attacker can also decompile your mobile app binary and extract the signature from it.

The downside of your approach is that its easy to bypass by attackers, even by the ones that aren't very skilled, like scripts kids, that just google search on how to do stuff and/or use the dark web to buy specialized solutions/tools to help them achieving their malicious intents.

  1. If there aren't any then - What is the reason Goggle recommends Play Integrity API instead of this simple solution

The reason Google recommends the Play Integrity API it's because it relies on more advanced techniques that also require a backend side integration, thus making the process harder to bypass and requiring a lot more skills to perform a successful attack.

Possible Solutions

I want to detect any tampering in the APK file and validate the App or Built integrity. When I searched online I got this solution from official sources - https://developer.android.com/google/play/integrity/overview

Even if you are willing to put all the effort to implement this solution you need to consider the downside of being a solution only for Android, therefore requiring another solution for when you also want to have an iOS app using the same API backend.

I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution for an alternative approach to attest the integrity of your mobile app and device its running on and to lock down your API server to your mobile app. The solution on the answer I link suggests the use of a Mobile App Attestation solution that will attest the integrity of the device and mobile app via a cloud service that will issue a JWT to enable the API server to know that what is making the API requests is indeed a genuine and unmodified instance of your mobile app as uploaded to the Android Play store.

Do You Want To Go The Extra Mile?

In any response to a security question I always like to reference the excellent work from the OWASP foundation.

For APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

Exadra37
  • 11,244
  • 3
  • 43
  • 57