确认密钥库APK身份 [英] Confirm APK identity with keystore
问题描述
我建立一个Android应用程序与在线Web服务进行通信。我计划在发布应用程序的源$ C $ C GitHub上。对于我的量产版,这将利用我的个人web服务我想只允许我的数字签名的apk进行连接。
I am building an Android application that communicates with an online webservice. I plan on releasing the application's source code on GitHub. For my production version, which will utilize my personal webservice I want to allow only my digitally signed apk to connect.
时可以要求APK的密钥库和确认从该密钥库的用户名/密码?
Is is possible to request the APK's keystore and confirm the username/password from that keystore?
如果这是不可能还能怎么我产生这种功能?
If this is not possible how else can I produce this functionality?
编辑:
我已经读入类证书的它看起来像我可能能够用户公共/专用密钥来确认身份。但我仍然不确定的实施
I have read into the class Certificate It looks like I might be able to user public/private keys to confirm an identity. But I am still unsure of an implementation
推荐答案
我用这个 -
static public String getPackageFingerPrint( Context ctx ) {
PackageManager pm = ctx.getPackageManager();
String packageName = ctx.getPackageName();
int flags = PackageManager.GET_SIGNATURES;
PackageInfo packageInfo = null;
try {
packageInfo = pm.getPackageInfo(packageName, flags);
} catch (NameNotFoundException e) {
return "";
}
Signature[] signatures = packageInfo.signatures;
byte[] cert = signatures[0].toByteArray();
InputStream input = new ByteArrayInputStream(cert);
CertificateFactory cf = null;
try {
cf = CertificateFactory.getInstance("X509");
} catch (CertificateException e) {
return "";
}
X509Certificate c = null;
try {
c = (X509Certificate) cf.generateCertificate(input);
} catch (CertificateException e) {
return "";
}
try {
MessageDigest md = MessageDigest.getInstance("SHA1");
byte[] publicKey = md.digest(c.getPublicKey().getEncoded());
StringBuffer hexString = new StringBuffer();
for (int i=0;i<publicKey.length;i++) {
String appendString = Integer.toHexString(0xFF & publicKey[i]);
if(appendString.length()==1)hexString.append("0");
hexString.append(appendString);
}
return hexString.toString();
} catch (NoSuchAlgorithmException e1) {
return "";
}
}
我和你的方法看到的问题是,任何人都可以决定包指纹或你的包,并将其发送到您的Web服务。一个更好的可能性是使用挑战 - 响应机制:您的Web服务向您发送一个唯一的会话令牌,你的应用程序或加密使用一个共享的算法消化,然后将这个加密令牌返回到您的验证服务。当然,你不会想那个算法发布到github上。
The problem I see with your approach is that anyone could determine the package fingerprint or your package and send it to your web-service. A better possibility would be to use a challenge-response mechanism: Your web-service sends you a unique session-token, which your app encrypts or digests using a shared algorithm, and then sends this encrypted token back to your service for verification. Of course, you wouldn't want to publish that algorithm to github.
这篇关于确认密钥库APK身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
