Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android - Installed apps - integrity check

Tags:

android

  1. If someone tampers with an installed android app (apk file), are there any checks done at the time of launching to ensure integrity of an app is not compromised? As I understand there are no checks performed at launch time and I am trying to do the following:
  2. I am trying to compute SHA-1 digests of the installed applications (apk file). I am aware that an apk file is like a zip file. It consists of other files. However, I am treating it as any other file (just a stream of bytes) and trying to compute SHA-1 digests of all the apk files. Are there any problems with this approach? The following code kept on giving null exception:

private static byte[] getSHA1FromFileContent(String filename) {

try
{
    MessageDigest digest = MessageDigest.getInstance("SHA-1");
    //byte[] buffer = new byte[65536]; //created at start.
    final FileInputStream fis = new FileInputStream(filename);
    int n = 0;
    byte[] buffer = null;
    while (n != -1)
    {
        n = fis.read(buffer);
        if (n > 0)
        {
            digest.update(buffer, 0, n);
        }
    }
    byte[] digestResult = digest.digest();
    return digestResult;
}
catch (Exception e)
{
    return null;
}

}

As an alternative when I attempted to retrieve the files from the apk file and save the individual files as follows, I again kept on null exception

public void unzip() 
{ 
        try  
        { 
          FileInputStream fin = new FileInputStream(_zipFile); 
          ZipInputStream zin = new ZipInputStream(fin); 
          ZipEntry ze = null; 
          while ((ze = zin.getNextEntry()) != null) 
          { 
            Log.v("Decompress", "Unzipping " + ze.getName()); 

            if(ze.isDirectory()) { 
              _dirChecker(ze.getName()); 
            } else { 
                File dstfile = new File(_location + ze.getName()); 
                dstfile.createNewFile();
            FileOutputStream fout = new FileOutputStream(dstfile.getPath()); 
            //OutputStream out = openFileOutput(_location + ze.getName(), Context.MODE_PRIVATE);
            for (int c = zin.read(); c != -1; c = zin.read()) { 
                fout.write(c); 
              } 

              zin.closeEntry(); 
              fout.close(); 
            } 

          } 
          zin.close(); 
        } 
        catch(Exception e) 
        { 
          Log.e("Decompress", "unzip", e); 
        } 
}   
  1. I am also verifying the application configuration by way of - PreferencesManager.getDefaultSharedPreferences call providing the package name of the application as input parameter
  2. In order to verify the integrity of an installed application is the above check enough?
like image 924
jpal Avatar asked Aug 10 '11 18:08

jpal


1 Answers

If someone tampers with an installed android app (apk file), are there any checks done at the time of launching to ensure integrity of an app is not compromised?

There is no such concept as "compromised" from the OS standpoint, other than having an invalid digital signature. If somebody tampers with your app and signs it, that is indistinguishable to the OS from your original app, or the app after Amazon "tampers" with it for their store, etc.

Are there any problems with this approach? The following code kept on giving null exception

First, you are handling exceptions and doing no logging. You will find that debugging is much simpler when you log your exceptions. Then, you can use the stack trace (e.g., from DDMS) to find the line on which you are crashing, and fix your bug, whatever it is. If you want help with that, you will need to include in your question details on where the NullPointerException is occurring.

Second, whoever tampers with your app will simply remove all of this code, if they can find it.

Third, it may be fairly slow, making it easier for them to find it.

I am also verifying the application configuration by way of - PreferencesManager.getDefaultSharedPreferences call providing the package name of the application as input parameter

I have no idea why you think that this will be some form of verification.

In order to verify the integrity of an installed application is the above check enough?

IMHO, the above check is largely useless. If you obfuscate your code (e.g., with ProGuard), call it from several places, and use the other techniques outlined in this blog post, perhaps it will be worthwhile, but it may be too slow.

like image 106
CommonsWare Avatar answered Oct 22 '22 02:10

CommonsWare