Autojs protects the APP with signature verification

Tooth uncle tutorial is easy to understand

The test environment

Autojs version: 9.0.4

Android version: 8.0.0

Android Studio version: 4.1.2

Signature concept

Purpose: It is impossible for anyone to falsify a message in order to confirm that a message was actually sent by a sender, or that a post was actually posted by the sender, and the sender cannot disclaim it.

Method: Generate signature identifiers (such as string sequences or certificates) for the published information content through some reliable processing (such as MD5 operation)

Verification: Anyone who gets the published information content can obtain the signature identification through the same processing. If the comparison is consistent with the published signature, the verification is true.

The difference between signature and encryption: Encryption is to prevent others from knowing the original information, and signature is to ensure that the original information is not changed.

Signature verification

Every application in Android has a unique signature, and an application that is not signed is not allowed to be installed on the device.

The main function of APP signature verification is to protect the security interests of the APP itself and prevent illegal elements from modifying internal codes and files, and then inserting advertisements and other profit-making behaviors to carry out illegal operations.

Calibration method

• Java layer entry validation
• NDK verification, that is, so files
• Server authentication

Autojs signature management

When using autoJS package script, there is a signature option at the bottom, you can select the signature, the signature file suffix is JKS, the default signature created is saved in /sdcard/.keystore/

When signing, we can select the signature created by ourselves. When executing the script, we verify the signature first. If the signature is different, we exit the script

Get the sha1 value of the signature from the JKS file

Android Studio has a keytool. To obtain the signed SHA1, run the following commandkeytool -list -v -keystore yashu.jks

The code on

1. Import the classes

importClass(android.content.pm.PackageManager);
importClass(java.security.MessageDigest);
importClass(java.io.ByteArrayInputStream);
importClass(java.lang.StringBuilder);
importClass(java.lang.Integer);
importClass(java.security.cert.CertificateFactory);
Copy the code

2. Obtain the application signature SHA1

/** * Obtain the application signature */
function getCertificateSHA1Fingerprint() {
  // Get the package manager
  let pm = context.getPackageManager();

  // Get the package name from which the SHA1 value is to be obtained. You can also use another package name, but note that:
  // Before using another package name, the Context passed by this method should be the corresponding package Context.
  let packageName = context.getPackageName();

  // Returns the signature information included in the package
  let flags = PackageManager.GET_SIGNATURES;

  // Get all the content information classes of the package
  let packageInfo = pm.getPackageInfo(packageName, flags);

  // Signature information
  let signatures = packageInfo.signatures;
  let cert = signatures[0].toByteArray();

  // Convert the signature to a byte array stream
  let input = new ByteArrayInputStream(cert);

  // Certificate factory class. This class implements the factory certificate algorithm
  let cf = CertificateFactory.getInstance("X509");

  X.509 is a very general certificate format
  let c = cf.generateCertificate(input);

  // The class of the encryption algorithm, where the parameters can be MD4,MD5, etc
  let md = MessageDigest.getInstance("SHA1");

  // Get the public key
  let publicKey = md.digest(c.getEncoded());

  // Format conversion from bytes to hexadecimal
  let hexString = byte2HexFormatted(publicKey);

  return hexString;
}

// Convert the obtained code into hexadecimal
function byte2HexFormatted(arr) {
  let str = new StringBuilder(arr.length * 2);

  for (let i = 0; i < arr.length; i++) {
    let h = Integer.toHexString(arr[i]);
    let l = h.length;
    if (l == 1) h = "0" + h;
    if (l > 2) h = h.substring(l - 2, l);
    str.append(h.toUpperCase());
    if (i < arr.length - 1) str.append(":");
  }
  return str.toString();
}
Copy the code

reference

Android App runtime signature verification

Various signatures and verification

Signature verification cracking process

Quotes.

Thinking is the most important, other Baidu, Bing, StackOverflow, Android documents, autoJS documents, and finally in the group to ask — fang Shu tutorial

The statement

This tutorial is intended for learning purposes only and is not intended for any other use