Package signature and channelID security

[kightsonsanom]

Hello, what is the purpose of adding package signatures on the line developer console? My understanding was that it can limit usage of channel ID to specific signatures but when I add different SHA than my app uses then I can still use the SDK.

The documentation only explains how to add the signatures, not the purpose of it https://developers.line.biz/en/docs/line-login-sdks/android-sdk/integrate-line-login/#link-app-to-channel

Could you explain what is the benefit of adding SHA signatures? Also should I make my channelID secure by injecting it through the CI?

Thanks!

[plateaukao]

Hi, @kightsonsanom Could you explain more "when I add different SHA than my app uses then I can still use the SDK"? Do you mean even if you entered different package signautre other than the one on Channel Admin web page, you can still use the SDK to login successfully?

Entering value in SHA package signature has the advantage of somewhat protecting the app from being tampered with.

As for how to secure channelID, it's beyond the scope of LINE SDK integration.

[kightsonsanom]

Hey @plateaukao, thanks for reply! Let's take an example:

1. My app is signed with sginatureabc
2. On Channel Admin web page I put only signature xyz

My assumption was that Line login shouldn't work in this case because there is no abc signature on Channel Admin web page. Instead, I could still use the Line SDK.

As for how to secure channelID, it's beyond the scope of LINE SDK integration.

The question was not how but should it be stored securely. If SHA signatures do not protect the app then I think it should but it comes down to the answer of the first question.