Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Android SDK

Application integrity

search

Application integrity

In the IDAAS-core configuration, you can select one of the two app integrity levels: NONE or FULL. The FULL level performs several checks for the app, including a tampering/modification check, by validating the signing key of the app. The hash of the key that was used to sign the app is calculated by the Android SDK at runtime during the DCR and it is verified against the hash stored in the IDAAS-core. To obtain the hash for the IDAAS-core configuration, use the guide below.

When the app integrity level is set to NONE, the Android SDK performs only the most basic sanity checks (like the app's name), but does not validate the signing keys.

Obtain the hash of the signing key

When you create an Android app, you need to sign it using one of the following:

  • A debug key provided by Android Studio

  • A signing key created by yourself: If the key is stored on your machine, you can use keytool to obtain information about the signing key, as described in Authenticating your client.

  • Sign the app with upload key and let Google Play App Signing apply the final signing. If you use Google Play App Signing, then your signing key is stored in the Google Play Store. You can find it in the Release > Setup > App Integrity tab.

The Android SDK uses the SHA-256 fingerprint of the signing key.

Example keytool output with visible SHA-256 fingerprint

Alias name: androiddebugkey
Creation date: 2020-09-02
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug
Serial number: 1
Valid from: Wed Sep 02 17:20:09 CEST 2020 until: Fri Aug 26 17:20:09 CEST 2050
Certificate fingerprints:
     MD5:  F1:E6:A5:32:AB:05:4B:D3:A3:11:C0:D0:75:44:8C:8E
     SHA1: D4:0A:34:A6:B6:2B:05:82:60:C6:3D:1C:F8:5A:56:9D:8F:80:DF:82
     SHA256: D6:41:0F:E2:57:B1:B4:76:7A:72:47:0E:1A:76:0D:A2:9A:BB:89:5E:6F:08:AE:14:FF:B7:70:62:3C:FE:CD:1C
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1

Store the app signatures

The SHA-256 value that is obtained must be stored in the admin console. Every application version has its list of valid signatures. The application version documentation provides more info on where and how to store the application signature for a specific application version.

On this page