github/CordovaReadApplicationSignature
3
0
Fork 0
mirror of https://github.com/wanxf-shuto/CordovaReadApplicationSignature.git synced 2026-06-05 00:00:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

Updated repo

Browse Source
This commit is contained in:
info4shajeer@gmail.com
2018-07-12 20:14:02 +05:30
parent 423531b92f
commit 8deb16fe7a
13 changed files with 0 additions and 477 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/android/ReadAppSignature.java
+92
View File
@@ -0,0 +1,92 @@
package cordova.plugin.appSignature;
import org.apache.cordova.CordovaPlugin;
import org.apache.cordova.CallbackContext;
import org.apache.cordova.PluginResult;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import android.annotation.SuppressLint;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
/**
* This class echoes a string called from JavaScript.
*/
public class ReadAppSignature extends CordovaPlugin {
@Override
public boolean execute(String action, JSONArray args, CallbackContext callbackContext) throws JSONException {
if (action.equals(Actions.GET_SIGNATURE)) {
this.getAppSignature(callbackContext);
return true;
}
return false;
}
private void getAppSignature(CallbackContext callbackContext) {
PluginResult pluginResult = new PluginResult(PluginResult.Status.OK, getAppSignature());
callbackContext.sendPluginResult(pluginResult);
}
@SuppressLint("PackageManagerGetSignatures")
public String getAppSignature() {
PackageInfo packageInfo;
try {
packageInfo = cordova.getActivity().getPackageManager().getPackageInfo(
cordova.getActivity().getPackageName(), PackageManager.GET_SIGNATURES);
//note sample just checks the first signature
for (Signature signature : packageInfo.signatures) {
// SHA1 the signature
LogUtils.LOGD(TAG, "getAppSignature() called : " + getSHA1(signature.toByteArray()));
return getSHA1(signature.toByteArray());
}
} catch (PackageManager.NameNotFoundException e) {
e.printStackTrace();
}
return "";
}
//computed the sha1 hash of the signature
public static String getSHA1(byte[] sig) {
MessageDigest digest = null;
try {
digest = MessageDigest.getInstance("SHA1", "BC");
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (NoSuchProviderException e) {
e.printStackTrace();
}
digest.update(sig);
byte[] hashtext = digest.digest();
return bytesToHex(hashtext);
}
//util method to convert byte array to hex string
public static String bytesToHex(byte[] bytes) {
final char[] hexArray = {'0', '1', '2', '3', '4', '5', '6', '7', '8',
'9', 'A', 'B', 'C', 'D', 'E', 'F'};
char[] hexChars = new char[bytes.length * 2];
int v;
for (int j = 0; j < bytes.length; j++) {
v = bytes[j] & 0xFF;
hexChars[j * 2] = hexArray[v >>> 4];
hexChars[j * 2 + 1] = hexArray[v & 0x0F];
}
return new String(hexChars);
}
interface Actions {
String GET_SIGNATURE = "getSignature";
}
}
src/android/readme.md
+56
View File
@@ -0,0 +1,56 @@
# cordova-plugin-get-app-signature
#### Version 0.1.1 (12/07/2018)
## What is Application Signing ?
> Application signing allows developers to identify the author of the application and to update their application without creating complicated interfaces and permissions. Every application that is run on the Android platform must be signed by the developer. Applications that attempt to install without being signed will be rejected by either Google Play or the package installer on the Android device.
You can read more about it on [Android official website](https://source.android.com/security/apksigning/)
## What is the main purpose of this plugin
- By using this plugin you can get the application signature key, you can verify this signature with the original signature to amake sure that application is not tampered. [Read more about application tampering here](https://www.owasp.org/index.php/Mobile_Top_10_2016-M8-Code_Tampering) also [Refer this link as well](https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app)
- ```cordova plugin add cordova-plugin-get-app-signature``` - this command will install plugin to your project
## Tampering Prevention Techniques
Signature verification is one of the method to prevent apk tampering, you need to find the signature key and that key you need to validate from server when the application opens, get the key for the first time and pass it to your server guy, let him store it in his server and each time when the app opens he will have to validate the key, if the key is not matching the app has been tampered, in that case you can block the user from accessing the application,
## Usage
```javascript
cordova.exec(function success(signature){
//Check signature
}, function failure(error){
//alert("Something went wrong");
}, "ReadAppSignature", "getAppSignature", []);
```
## License
```
The MIT License
Copyright (c) 2017 Shajeer Ahamed (info4shajeer@gmail.com)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
```