Self-checking an APK's signature

Question

I would like to programmatically perform a check on the APK's signature at runtime. I own a keystore on my development workstation, so I could know (dunno how) the public key I'm signing an APK with.

Once I know what the public key will be after signage, I would like to put in the source code and check if the currently running application matches the key.

Is it possible? If so, how do I obtain the public key from an Eclipse-generated keystore?

Thanks.

Consider [Android license check service](http://developer.android.com/guide/market/licensing/index.html). — Seva Alekseyev, Mar 30 '12 at 19:43
Sorry, this **must** work offline and is for preview versions of an app. I had a related question about this — usr-local-ΕΨΗΕΛΩΝ, Mar 30 '12 at 19:46
Self-checking makes little sense from security point of view, as the attacker can modify the code so that it accepts anything. — Eugene Mayevski 'Callback, Mar 30 '12 at 20:01
True, but together with obfuscation only makes the life of an attacker a little more difficult. In my specific case, Android licensing is completely not feasible — usr-local-ΕΨΗΕΛΩΝ, Mar 30 '12 at 20:02
What I don't understand here is , "if some hacker is able to edit your apk the way he wants" , cant he just remove the stub (method) where you are doing this signature check so that the app dont even check anything. Makes sense? — eRaisedToX, Feb 24 '17 at 06:36
Of course but obfuscation can make it a little bit more difficult — usr-local-ΕΨΗΕΛΩΝ, Feb 24 '17 at 08:18

score 6 · Accepted Answer · answered Mar 30 '12 at 19:43

6

You could try this, it should work

Signature[] sigs = getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES).signatures;
    for (Signature sig : sigs)
    {
        // log the sig here
    }

answered Mar 30 '12 at 19:43

Faisal Abid

8,900
14
59
91

1

Does not work after uploading on playstore. Tried the apk before uploading on playstore, it works. But after uploading, the signature changes. – Tenten Ponce Feb 19 '20 at 06:28
@TentenPonce what is solution? your app signature changed after upload on google play? – Farzad Mar 04 '20 at 15:27
@Farzad still looking for another solution, but we could try to publish a pre-version to check the signature on playstore then re-release again with the signature that we got from the playstore app. – Tenten Ponce Mar 04 '20 at 16:24
@TentenPonce Can saboteurs neutralize this solution by changing the Java code? – Farzad Mar 04 '20 at 18:57
1

@Farzad well yes, they can still remove the code that checks for signature. There's no silver bullet in security as they say. You can only make it hard but not totally prevent. – Tenten Ponce Mar 09 '20 at 01:32
why does signature change after uploading to the play store? – D.madushanka Feb 03 '21 at 04:30
@D.madushanka because Play Store re-signs your key using their own signing. The signing key you have used the first time is then used to verify you're the one uploading the apk/aab. You can turn this off, but it is not recommended. – Abdullah Z Khan Jan 31 '22 at 04:59

score 0 · Answer 2 · edited May 23 '17 at 11:46

I think I have the same situation like you have. Here is my original solution.

You may have a try on it.

Signature sig = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES).signatures[0];
Signature releaseSig = context.getPackageManager().getPackageAchiveInfo("/mnt/sdcard/myReleaseApk.apk", PackageManager.GET_SIGNATURES).signatures[0];
return sig.hashCode() == releaseSig.hashCode;

Self-checking an APK's signature

2 Answers2

Linked