CommonsWare CommonsWare - 1 month ago 11
Android Question

How Can We Check the Signature of a Not-Yet-Installed APK?

Given that we have an APK file, accessible on an Android device on the filesystem, how can we, from another Android app:


  • Confirm that the APK file has not been tampered with (that its digital signature matches its contents)?

  • Get the public key information (specifically, the same sort of SHA256 hash that
    keytool -list -printcert -jarfile test.apk
    would emit on a development machine)?



Note that this APK has not been installed at this point, so we cannot use
PackageManager
to retrieve the "signatures" of the installed app, nor can we rely on Android having validated the APK signature for us.

Answer

I totally whiffed on this. PackageManager has a getPackageArchiveInfo() method, available since API Level 1.

So, you call that, passing in the path to the APK, along with PackageManager.GET_SIGNATURES. If you get null back, the APK was tampered with and does not have valid digital signature. If you get a PackageInfo back, it will have the "signatures", which you can use for comparison purposes.