I don't believe that hackers use the API - they process your application at another computer, and create a new package, signed with a new key.
The hacked package has code to intercept that PackageManager call, and return your original signature. -- Kostya Vasilyev 11.07.2011 17:54 пользователь "Richard" <[email protected]> написал: > Hi all, > using this code: > > PackageManager pm = getPackageManager(); > try > { > PackageInfo info = pm.getPackageInfo(getPackageName(), 64); > Signature [] sig = info.signatures; > sigstring = new String(sig[0].toChars()); > } > catch (Exception e) > { > e.printStackTrace(); > } > return sigstring; > > I can get signature of every package in the system. > > How can I deny other apps (except my apps and Android system) to read > my package signature? > I want to make sure it is original app, not changed by hacker (i.e. > signed by my own private key) when run. But for now I see that hacker > can easily patch my code by embedding signature, he read from my > original package. > Maybe there is another way to make sure package is original? > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
