我需要获取包签名,目前我使用以下代码获取它:
Signature[] sigs = c.getPackageManager()
.getPackageInfo(c.getPackageName(),
PackageManager.GET_SIGNATURES).signatures;
但是,Android Studio 给我这个警告:
Reading app signatures from getPackageInfo: The app signatures could be exploited if not validated properly; see issue explanation for details.
Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn't have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.
在这种情况下验证签名是什么意思?我将针对服务器检查签名以确保它们匹配 - 这是他们的意思吗?
在本地测试中,它输出的只是一个负整数,而不是代码中的数组。
最佳答案
跟踪弹出文本导致 this source code fragment安卓工作室。
在同一个文件中有 a line包含指向外部资源的链接。
进一步追踪到this presentation关于“假 ID”漏洞。
The problem is that when Android builds the chain-of-trust, the verification process only compares the ‘subject’ rather than comparing the actual key with the one provided within the details of the certificate’s signer. As a result, an attacker can tinker with the chain-of-trust and claim to be signed by a party – without the party actually signing.
Due to this bug a wrong certificate chain is generated, and might include legitimate certificates, which are embedded in APK but weren’t been used to actually sign the application.
这里是 the commit到 Android 源代码,以防止使用此漏洞。 这意味着如果设备有 Android 4.4,问题就不会发生。当运行较低的 Android API 设备时,它可能会造成危害。
关于使用 PackageManager.GET_SIGNATURES 时出现 Android Studio 警告,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39192844/