Search This Blog

Friday, December 12, 2014

Android: get sha from *.apk file; validate *.apk content; check apk integrity

The apk file might get destroyed when it's transferred through a network. If the file is signed with a certificate (most Android applications are signed by the publisher) you can check the file integrity from the command line before installing the application. The following methods check the certificate validity as well as validate apk file contents.



keytool -list -printcert -jarfile app-sa.apk

(java/jre/bin/keytool)


 Signer #1:  
   
 Signature:  
   
 Owner: CN=Somevalue, OU=Developers, O=Somevalue. Somevalue, L=Somevalue, ST=Somevalue, C=PL  
 Issuer: CN=Somevaluei, OU=Developers, O=Somevalue Somevalue, L=Somevalue, ST=Somevalue, C=PL  
 Serial number: Somevalue  
 Valid from: Thu Jul 17 11:25:00 CEST 2014 until: Mon Jul 11 11:25:00 CEST 2039  
 Certificate fingerprints:  
       MD5: 11:11:11:11:11:11:11:11:11:11:A3:D8:B5:11:11:11  
       SHA1: 11:11:11:11:11:11:11:11:11:0D:42:BC:2D:01:11:11:11:11:11:11  
       SHA256: 11:11:11:11:11:11:11:11:11:11:11:11:D4:7C:B7:1C:C8:14:8E:43:11:11:11:11:11:11:11:11:3E:11:11:11  
       Signature algorithm name: SHA256withRSA  
       Version: 3  
   
 Extensions:   
   
 #1: ObjectId: 2.5.29.14 Criticality=false  
 SubjectKeyIdentifier [  
 KeyIdentifier [  
 0000: 11 11 11 11 11 11 11 11  11 11 11 11 11 11 36 F3 ..]....%.B....6.  
 0010: 11 11 11 11                    ....  
 ]  
 ]  
   



jarsigner -verbose -verify -certs app-sa.apk

(java/jre/bin/jarsigner)


 sm    162096 Thu Dec 11 16:39:46 CET 2014 resources.arsc

      X.509, CN=Somevalue, OU=Developers, O=Somevalue Somevalue, L=Somevalue, ST=Somevalue, C=PL
      [certificate is valid from 7/17/14 11:25 AM to 7/11/39 11:25 AM]
      [CertPath not validated: Path does not chain with any of the trust anchors]

sm    4416396 Thu Dec 11 16:40:46 CET 2014 classes.dex

      X.509, CN=Somevalue, OU=Developers, O=Somevalue Somevalue, L=Somevalue, ST=Somevalue, C=PL
      [certificate is valid from 7/17/14 11:25 AM to 7/11/39 11:25 AM]
      [CertPath not validated: Path does not chain with any of the trust anchors]

sm       621 Thu Dec 11 16:40:48 CET 2014 androidannotations-api.properties

      X.509, CN=Somevalue, OU=Developers, O=Somevalue Somevalue, L=Somevalue, ST=Somevalue, C=PL
      [certificate is valid from 7/17/14 11:25 AM to 7/11/39 11:25 AM]
      [CertPath not validated: Path does not chain with any of the trust anchors]

s      32963 Thu Dec 11 16:40:50 CET 2014 META-INF/MANIFEST.MF

      X.509, CN=Somevalue, OU=Developers, O=Somevalue Somevalue, L=Somevalue, ST=Somevalue, C=PL
      [certificate is valid from 7/17/14 11:25 AM to 7/11/39 11:25 AM]
      [CertPath not validated: Path does not chain with any of the trust anchors]

       32984 Thu Dec 11 16:40:50 CET 2014 META-INF/CERT.SF
        1495 Thu Dec 11 16:40:50 CET 2014 META-INF/CERT.RSA

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.
The latter of the methods verifies apk content as well. 



1 comment:

If you like this post, please leave a comment :)