Menu
A vanilla Android rom (AOSP) does not contain Google Apps. If I download Google Apps from another source, how can I verify that it has not been tampered with ?
900
A good way to check an APK file is by checking its hash. The SHA of a file is a kind of digital fingerprint which ensures that data is not modified or tampered with. You should use Hash Droid- a useful app to check the hash on your phone.
Tip: Keep your private key (. keystore file) out of source control and in a separately secured and backed-up system. The app signature will be broken if the . apk is altered in any way — unsigned apps cannot typically be installed.
The Verify apps feature helps you protect your phone from potentially harmful apps. When it's turned on, your phone will be able to block the installation of apps and remove apps if security threats are detected. Go to Settings > Google > Security. Under Verify apps, turn on Scan device for security threats.
A good way to check an APK file is by checking its hash. The SHA of a file is a kind of digital fingerprint which ensures that data is not modified or tampered with. You should use Hash Droid- a useful app to check the hash on your phone.
After checking an apk file on HashDroid, you access APKTOVI Checker Tool, hit “Click Upload APK File” and upload the apk file that you have checked by HashDroid. Then, let’s wait for the file to be uploaded and scanned. You will see the result of SHA1 of this APK file and a notification about whether your file is unmodified or not.
VirusTotal is an extremely famous website which helps people to check for viruses and other issues of an apk file. However, the file size limited is under 128MB. – Click on Choose File, then choose the file you want to scan in the browser dialogue box and then wait a minute to get the result.
To help your app detect tampering, we looked at identifying telltale signs of emulation and third-party debugging with environment checks. We introduced a quick and easy way to confirm the installer of your app, and — perhaps most importantly — how to verify that your app is still signed with your developer signature.
Each apk is signed with release key. If apk is de-compiled and recompiled then new apk must be signed with a different release key (as each release key need a password which only developer/company know). So you can verify the authenticity of your apk by checking the sha1 of your key. Hope it helps
EDIT: You must use web services to verify validity of your app(like what facebook does)
Obtain key hash programmatically using the following code. Verify if both values are same.
try {
PackageInfo info = getPackageManager().getPackageInfo(
"com.play.fabin", //Replace your package name here
PackageManager.GET_SIGNATURES);
for (Signature signature : info.signatures) {
MessageDigest md = MessageDigest.getInstance("SHA1");
md.update(signature.toByteArray());
Log.d("KeyHash:", Base64.encodeToString(md.digest(), Base64.DEFAULT));
System.out.println("key hash = " + Base64.encodeToString(md.digest(), Base64.DEFAULT));
}
} catch (PackageManager.NameNotFoundException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
Hope it helps you..
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
