Application integrity
App integrity levels
In the Token Server configuration you can select one of the two app integrity levels: NONE
or FULL
. The FULL
level will perform several
checks for the app, including a tampering/modification check by validating the signing key of the app. The hash of the key that was used to sign the app is
calculated by the SDK at runtime during the DCR and it is verified against the hash stored in the Token Server. To obtain the hash for the Token Server
configuration please use the guide below.
When the app integrity level is set to NONE
, the SDK will perform only the most basic sanity checks (like the app's name), but will not validate
the signing keys.
Obtain the hash of the signing key
When you create an Android app you need to sign it using either:
- a debug key provided by Android Studio
- a signing key created by yourself
- sign the app with "upload key" and let the Google Play App Signing apply the final signing
If the key is stored on your machine, you can use keytool
to obtain information about the signing key, as shown here.
The Onegini SDK uses the SHA-256 fingerprint of the signing key.
Example keytool output with visible SHA-256 fingerprint
If you use the Google Play App Signing then your signing key is stored in
Google Play Store. You can find it in the Release > Setup > App Integrity
tab.
Store the app signatures
The SHA-256 value that is obtained must be stored in the Token Server admin console. Since the signing key can be rotated, therefore every application version has its list of valid signatures. The Token Server application version documentation provides more info on where and how to store the application signature for a specific application version.