Menu
private static byte[] getSHA1FromFileContent(String filename) {
try
{
MessageDigest digest = MessageDigest.getInstance("SHA-1");
//byte[] buffer = new byte[65536]; //created at start.
final FileInputStream fis = new FileInputStream(filename);
int n = 0;
byte[] buffer = null;
while (n != -1)
{
n = fis.read(buffer);
if (n > 0)
{
digest.update(buffer, 0, n);
}
}
byte[] digestResult = digest.digest();
return digestResult;
}
catch (Exception e)
{
return null;
}
}
As an alternative when I attempted to retrieve the files from the apk file and save the individual files as follows, I again kept on null exception
public void unzip()
{
try
{
FileInputStream fin = new FileInputStream(_zipFile);
ZipInputStream zin = new ZipInputStream(fin);
ZipEntry ze = null;
while ((ze = zin.getNextEntry()) != null)
{
Log.v("Decompress", "Unzipping " + ze.getName());
if(ze.isDirectory()) {
_dirChecker(ze.getName());
} else {
File dstfile = new File(_location + ze.getName());
dstfile.createNewFile();
FileOutputStream fout = new FileOutputStream(dstfile.getPath());
//OutputStream out = openFileOutput(_location + ze.getName(), Context.MODE_PRIVATE);
for (int c = zin.read(); c != -1; c = zin.read()) {
fout.write(c);
}
zin.closeEntry();
fout.close();
}
}
zin.close();
}
catch(Exception e)
{
Log.e("Decompress", "unzip", e);
}
}
924
If someone tampers with an installed android app (apk file), are there any checks done at the time of launching to ensure integrity of an app is not compromised?
There is no such concept as "compromised" from the OS standpoint, other than having an invalid digital signature. If somebody tampers with your app and signs it, that is indistinguishable to the OS from your original app, or the app after Amazon "tampers" with it for their store, etc.
Are there any problems with this approach? The following code kept on giving null exception
First, you are handling exceptions and doing no logging. You will find that debugging is much simpler when you log your exceptions. Then, you can use the stack trace (e.g., from DDMS) to find the line on which you are crashing, and fix your bug, whatever it is. If you want help with that, you will need to include in your question details on where the NullPointerException is occurring.
Second, whoever tampers with your app will simply remove all of this code, if they can find it.
Third, it may be fairly slow, making it easier for them to find it.
I am also verifying the application configuration by way of - PreferencesManager.getDefaultSharedPreferences call providing the package name of the application as input parameter
I have no idea why you think that this will be some form of verification.
In order to verify the integrity of an installed application is the above check enough?
IMHO, the above check is largely useless. If you obfuscate your code (e.g., with ProGuard), call it from several places, and use the other techniques outlined in this blog post, perhaps it will be worthwhile, but it may be too slow.
106
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
