[guardian-dev] APK signing keys are vulnerable WAS: pgp, nsa, rsa

Mark Murphy mmurphy at commonsware.com
Mon Sep 23 14:40:35 EDT 2013


On Mon, Sep 23, 2013 at 2:33 PM, Abel Luck <abel at guardianproject.info> wrote:
> Anyone have a snippet of Java that lets an app check another app's
> signing key?

Ask, and ye shall (occasionally) receive.

https://github.com/commonsguy/cw-omnibus/tree/master/MiscSecurity

The SigDump project lists all packages -- tapping on one decodes the
"signature" and dumps the signature as a binary.

The SigCheck project checks another app's "signature", comparing it to
a known good value held as a raw resource (e.g., one dumped via
SigDump).

Both will be covered in the next edition of my book. Drop me a line in
the interim if you have any questions.

-- 
Mark Murphy (a Commons Guy)
http://commonsware.com | http://github.com/commonsguy
http://commonsware.com/blog | http://twitter.com/commonsguy

_The Busy Coder's Guide to Android Development_: 2,400+ Pages of Goodness!


More information about the Guardian-dev mailing list