Skip to content

Instantly share code, notes, and snippets.

@bogdanRada

bogdanRada/SignatureCheck.java

Forked from scottyab/SignatureCheck.java
Created October 25, 2016 10:05
Show Gist options
  • Save bogdanRada/8276904a57b82d2985a144e4a2716c65 to your computer and use it in GitHub Desktop.
Save bogdanRada/8276904a57b82d2985a144e4a2716c65 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @scottyab scottyab revised this gist Aug 23, 2013. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions SignatureCheck.java
    View file
    Original file line number Diff line number Diff line change
    @@ -33,13 +33,15 @@ public boolean validateAppSignature(Context context) throws NameNotFoundExceptio
    return false;
    }

    //computed the sha1 hash of the signature
    public static String getSHA1(byte[] sig) {
    MessageDigest digest = MessageDigest.getInstance("SHA1", "BC");
    digest.update(sig);
    byte[] hashtext = digest.digest();
    return bytesToHex(hashtext);
    }

    //util method to convert byte array to hex string
    public static String bytesToHex(byte[] bytes) {
    final char[] hexArray = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
    '9', 'A', 'B', 'C', 'D', 'E', 'F' };
  2. @scottyab scottyab created this gist Aug 23, 2013.
    57 changes: 57 additions & 0 deletions SignatureCheck.java
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,57 @@
    import android.content.Context;
    import android.content.pm.PackageInfo;
    import android.content.pm.PackageManager;
    import android.content.pm.PackageManager.NameNotFoundException;
    import android.content.pm.Signature;

    public class TamperCheck {

    //we store the hash of the signture for a little more protection
    private static final String APP_SIGNATURE = "1038C0E34658923C4192E61B16846";

    /**
    * Query the signature for this application to detect whether it matches the
    * signature of the real developer. If it doesn't the app must have been
    * resigned, which indicates it may been tampered with.
    *
    * @param context
    * @return true if the app's signature matches the expected signature.
    * @throws NameNotFoundException
    */
    public boolean validateAppSignature(Context context) throws NameNotFoundException {

    PackageInfo packageInfo = context.getPackageManager().getPackageInfo(
    getPackageName(), PackageManager.GET_SIGNATURES);
    //note sample just checks the first signature
    for (Signature signature : packageInfo.signatures) {
    // SHA1 the signature
    String sha1 = getSHA1(signature.toByteArray());
    // check is matches hardcoded value
    return APP_SIGNATURE.equals(sha1);
    }

    return false;
    }

    public static String getSHA1(byte[] sig) {
    MessageDigest digest = MessageDigest.getInstance("SHA1", "BC");
    digest.update(sig);
    byte[] hashtext = digest.digest();
    return bytesToHex(hashtext);
    }

    public static String bytesToHex(byte[] bytes) {
    final char[] hexArray = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
    '9', 'A', 'B', 'C', 'D', 'E', 'F' };
    char[] hexChars = new char[bytes.length * 2];
    int v;
    for (int j = 0; j < bytes.length; j++) {
    v = bytes[j] & 0xFF;
    hexChars[j * 2] = hexArray[v >>> 4];
    hexChars[j * 2 + 1] = hexArray[v & 0x0F];
    }
    return new String(hexChars);
    }


    }