Rifluxyss / acra

Automatically exported from code.google.com/p/acra
0 stars 0 forks source link

Application check sums reporting #117

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Hi, this is not bug report but feature request:

I suspect that some reports from my apps code from APK files that were modified 
by crackers/modders. I would like to filter out such a reports as it is 
pointless to deal with them.

Is there any chance to include developer's signature in ACRA reports.

Thanks a lot
Tom

Original issue reported on code.google.com by tom.huba...@gmail.com on 14 Mar 2012 at 3:42

GoogleCodeExporter commented 8 years ago
Interesting but I don't know how we could create such a checksum.

Original comment by kevin.gaudin on 5 Apr 2012 at 9:13

GoogleCodeExporter commented 8 years ago
I believe that adding Developer's signature fingerprint could be enough (if 
somebody modifies your code, he/she needs to sign it with his/her certificate). 

Here is sample code snippet.

        try {
            PackageManager pm = context.getPackageManager();
            String packageName = context.getPackageName();
            int flags = PackageManager.GET_SIGNATURES;
            PackageInfo packageInfo = null;

            try {
                packageInfo = pm.getPackageInfo(packageName, flags);
            } catch (PackageManager.NameNotFoundException e) {
                Log.e(GlobalLogTag.TAG, "Error getting package info ...", e);
                return false;
            }
            Signature[] signatures = packageInfo.signatures;

            // cert = DER encoded X.509 certificate:
            byte[] cert = signatures[0].toByteArray();
            InputStream input = new ByteArrayInputStream(cert);

            CertificateFactory cf = null;
            try {
                cf = CertificateFactory.getInstance("X509");
            } catch (CertificateException e) {
                Log.e(GlobalLogTag.TAG, "Error getting X509 certificate factory...", e);
                return false;
            }
            X509Certificate c = null;
            try {
                c = (X509Certificate) cf.generateCertificate(input);
            } catch (CertificateException e) {
                Log.e(GlobalLogTag.TAG, "Error getting X509 certificate ...", e);
                return false;
            }

            Log.d(GlobalLogTag.TAG, "Certificate for: " + c.getSubjectDN());
            Log.d(GlobalLogTag.TAG, "Certificate issued by: " + c.getIssuerDN());
            Log.d(GlobalLogTag.TAG, "The certificate is valid from " + c.getNotBefore() + " to " + c.getNotAfter());
            Log.d(GlobalLogTag.TAG, "Certificate SN# " + c.getSerialNumber());
            Log.d(GlobalLogTag.TAG, "Generated with " + c.getSigAlgName());

            StringBuffer hexString = new StringBuffer();

            try {
                MessageDigest md = MessageDigest.getInstance("SHA1");
                byte[] publicKey = md.digest(c.getPublicKey().getEncoded());

                for (int i = 0; i < publicKey.length; i++) {
                    String appendString = Integer.toHexString(0xFF & publicKey[i]);
                    if (appendString.length() == 1) hexString.append("0");
                    hexString.append(appendString);
                }

                certificateHash = hexString.toString();
                Log.d(GlobalLogTag.TAG, "Certificate HASH: " + certificateHash);
            } catch (NoSuchAlgorithmException e1) {
                Log.e(GlobalLogTag.TAG, "Error getting certificate hash...", e1);
                return false;
            }
            return true;
        } catch (Throwable e) {
            Log.e(GlobalLogTag.TAG, "Error getting certificate info...", e);
            return false;
        }
    }

Original comment by tom.huba...@gmail.com on 6 Apr 2012 at 7:43