I am currently developing RPC services for developers to use, but would like to make sure that I can distinguish between another app's debug key and their public key. Is there a way to check another app's key and tell whether it is a debug key and NOT a published app key?
The purpose of this is to be able to tell when their app is in development or release status, as I need to be able to tell whether they should be accessing my dev server or my production server.
For debug builds the apk will be signed with the default debug signing keys with debug flag enabled. For release apk you will have to explicitly specify the apk to sign with and the debug flag will be turned off so that it cannot be debugged.
In debug mode, you sign your app with a debug certificate generated by the Android SDK tools. This certificate has a private key with a known password, so you can run and debug your app without typing the password every time you make a change to your project.
Android apps are signed with a private key. To ensure that app updates are trustworthy, every private key has an associated public certificate that devices and services use to verify that the app update is from the same source. Devices only accept updates when its signature matches the installed app's signature.
The signed apk is simply the unsigned apk that has been signed via the JDK jarsigner tool. If you want to generate a signed apk then refer to How to Generate Signed Apk in Android Studio?
By default the androiddebugkey used by Eclipse (for instance) has a notAfter
date & time that is at most 1 year in the future - such a short value is not accepted by the Android Market - you could use that to differentiate between developer signed builds? Or .. you could just check the publickey that the app uses - have them sign the RPC requests with the android.content.pm.Signature of their app?
PackageInfo pkgInfo = getPackageManager().getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES); for (Signature appSignature : pkgInfo.signatures) { // javax.security - NOT java.security! X509Certificate appCertificate = X509Certificate.getInstance(appSignature.toByteArray()); // appCertificate.getNotAfter() can give you the date & time the cert expires // appCertificate.getPublicKey() can give you the public key you sign the RPC requests with. // appCertificate.getSubjectDN() will give you a Principal named "CN=Android Debug,O=Android,C=US" for any debug certificate that hasn't been handcrafted by the developer. }
static final String DEBUGKEY =
" key ";
public static boolean signedWithDebugKey(Context context, Class<?> cls)
{
boolean result = false;
try {
PackageInfo pinfo = context.getPackageManager().getPackageInfo("your package name",PackageManager.GET_SIGNATURES);
Signature sigs[] = pinfo.signatures;
Log.d(TAG,sigs[0].toCharsString());
if (DEBUGKEY.equals(sigs[0].toCharsString())) {
result = true;
Log.d(TAG,"package has been signed with the debug key");
} else {
Log.d(TAG,"package signed with a key other than the debug key");
}
} catch (android.content.pm.PackageManager.NameNotFoundException e) {
return false;
}
return result;
}
Run this code first time with debugkey, this will alway return false, but you'll get the encoded key in the Logcat. Copy that encoded key, and replace value " key " of DEBUGKEY, and it will work fine.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With