On Fri, Nov 11, 2011 at 11:21 AM, Sheado <[email protected]> wrote: > > Currently I have something in place where I get the PackageInfo's > signatures (e.g. getPackageManager().getPackageInfo) and feed them > into X509Certificate which i use to check the issuer DN. > > This will at least tell me that the DN changed, but that's obviously > easily to get around. > What's the proper way to go about checking the package signature with > a remote service?
Use MessageDigest to calculate the SHA1 hash of the certificate blob. Then send this to a server and compare with the hash of your own certificate. Anyone can create a certificate with any DN, so checking the DN buys you nothing. Of course, if they are modifying your package, they can disable the checking code... -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
