我们是否还要检查Android篡改检测的签名数量

时间:2016-01-06 00:32:35

标签: android android-security

我有这段代码(从这里复制它:https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app)来为我的Android应用程序添加篡改保护。

可以通过多个签名向Play商店提交申请吗?

我是否还要验证方法packageInfo.signatures仅返回一个签名?或者apk可以有多个签名,所有签名都有效吗?

private static final int VALID = 0;
private static final int INVALID = 1;

public static int checkAppSignature(Context context) {

    try {
        PackageInfo packageInfo = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET\_SIGNATURES);

        for (Signature signature : packageInfo.signatures) {
            byte[] signatureBytes = signature.toByteArray();
            MessageDigest md = MessageDigest.getInstance("SHA");
            md.update(signature.toByteArray());
            final String currentSignature = Base64.encodeToString(md.digest(), Base64.DEFAULT);

            //compare signatures
            if (SIGNATURE.equals(currentSignature)){
                return VALID;
            };
        }
    } catch (Exception e) {
        //assumes an issue in checking signature., but we let the caller decide on what to do.
    }

    return INVALID;
}

0 个答案:

没有答案