On Wed, May 11, 2011 at 7:32 PM, Shine <[email protected]> wrote: > > In that post, Dianne Hackborn suggests to use binary certificates to > check .apk integrity (i.e the app was not repacked/cracked) > > Do you think that this code is effective to do this? (I also obfuscate > the code and I made changes to the imported lvl core library as > suggested, too): > > PackageInfo inInfo = > getApplicationContext().getPackageManager().getPackageInfo("my.package.name", > PackageManager.GET_SIGNATURES); > //I only use a signature > Signature[] sign = inInfo.signatures; > if ("MY_LONG_PUBLIC_KEY".compareTo(sign[0].toCharsString()) != 0) { > tampered = true; > // I detected tampering? exit > } > >
Does this work at all? The signature is different from the public key, so it shouldn't. Even if it did, if an attacker can repackage your application, they can replace the public key in the APK with their own. You have to either do this on a server, or take measures to make the public key in the apk really hard to get to. I -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
