Thanks for the response Nikolay, I was hoping to avoid server-side checks because I don't want potential lag or bugs to affect the legit users. But I'll consider your suggestion if this becomes a big problem for us.
-Chad On Thu, Nov 10, 2011 at 6:40 PM, Nikolay Elenkov <nikolay.elen...@gmail.com>wrote: > On Fri, Nov 11, 2011 at 11:21 AM, Sheado <chad...@gmail.com> wrote: > > > > Currently I have something in place where I get the PackageInfo's > > signatures (e.g. getPackageManager().getPackageInfo) and feed them > > into X509Certificate which i use to check the issuer DN. > > > > This will at least tell me that the DN changed, but that's obviously > > easily to get around. > > What's the proper way to go about checking the package signature with > > a remote service? > > Use MessageDigest to calculate the SHA1 hash of the certificate blob. > Then send this to a server and compare with the hash of your own > certificate. Anyone can create a certificate with any DN, so checking > the DN buys you nothing. > > Of course, if they are modifying your package, they can disable the > checking code... > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to android-developers@googlegroups.com > To unsubscribe from this group, send email to > android-developers+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
