Signature check

An attacker may attempt to reverse engineer your application to add extra code - either to make it easier for them to analyse, or to re-package and deploy to an app store as malware. Adding a signature check can make this more difficult.


To generate your signature, the simplest way is to simply run the report and read the result, for example

Log.v("Signature", verifySignatureConfig("").canRun())

The function can take multiple strings so you can provide a signature for debug, release (etc) builds

When to use

Use this when you want to verify that your application has been correctly signed. It's not entirely tamper-proof, but it will make it harder for people to reverse engineer your application, and re-compile it with extra code added.

Often, attackers will use this to take a popular application (E.g. WhatsApp) and trick people into downloading it thinking it is the real WhatsApp - but actually executing extra, malicous code. Another thing that attackers do is recompile your app in order to make it easier for them to debug it.

Last updated