Integrity checking of android apk security
Recently, security monitoring is being done in the project. For this reason, some third-party anti-compilation platforms and their own experiences are investigated, and the monitoring of apk security integrity checking is summarized.
Principle of Integrity Check
Integrity check is that we use various algorithms to calculate the integrity of a file to prevent the file from being modified. The common method is to calculate the CRC32 value of a file or the hash value of a file. We can also use this method to prevent APK from being decompiled. We know that classes.dex generated by APK is mainly generated by Java files. It is the logical implementation of the whole apk. So we can check the integrity of the classes.dex file to ensure that the logic of the whole program is not modified. If we want to ensure the integrity of the entire apk file, we can also check the integrity of the entire apk file. Next, we implement the integrity checking of classes.dex file and APK file respectively.
1. Check the integrity of classes.dex file with crc32
The code is as follows:
//Verify the crc32 value of classes.dex file in apk, that is, check the integrity of dex file
public static boolean checkDexCrcValue() {
String apkPath = BaseApplication.getInstance().getPackageCodePath();
Long dexCrc = Long.parseLong(QianJinSuoApplication.getInstance().getString(R.string.classesdex_crc));
try {
ZipFile zipfile = new ZipFile(apkPath);
ZipEntry dexentry = zipfile.getEntry("classes.dex");
Log.i("checkDexCrcValue", "classes.dexcrc=" + dexentry.getCrc());
if (dexentry.getCrc() == dexCrc) {
return true;
}
} catch (IOException e) {
e.printStackTrace();
}
return false;
}
tips: Once classesdex_crc is determined, the code logic cannot be modified. Otherwise, we need to change the corresponding classesdex_crc.
Check the integrity of the whole apk with hash values
Because we need to check the integrity of the whole apk, we can't calculate the hash value in the resource file because any change in the APK will cause the hash value generated by the final APK to be different.
(1) First, the code of calculating its own hash value in apk is implemented as follows:
public static boolean checkApkSha(){
String apkPath = QianJinSuoApplication.getInstance().getPackageCodePath();
MessageDigest msgDigest = null;
try {
msgDigest = MessageDigest.getInstance("SHA-1");
byte[] bytes = new byte[1024];
int byteCount;
FileInputStream fis = new FileInputStream(new File(apkPath));
while ((byteCount = fis.read(bytes)) > 0)
{
msgDigest.update(bytes, 0, byteCount);
}
BigInteger bi = new BigInteger(1, msgDigest.digest());
String sha = bi.toString(16);
Log.i("checkApkSha", "apk sha=" + sha);
fis.close();
if(BaseApplication.getInstance().getString(R.string.apk_sha).equals(sha)){
return true;
}
//Here we add a hash value from the server and then compare it.
} catch (Exception e) {
e.printStackTrace();
}
return false;
}
(2) Calculate the hash value of our apk with the sha1sum command under Linux. The commands are as follows:
shasum verification.apk