Skip to content Skip to sidebar Skip to footer
Home / Android / Safetynet

Match Android Apk Sha256 With Safetynet Apkcertificatedigestsha256

Post a Comment
I am using SafetyNet to verify the integrity of the android app. This is the flow as of now. I generate a nonce value in the server and send it to the SafetyNet service to get the

Solution 1:

I have used SafetyNet API for accessing device's runtime env. I have kept signing certificate of app on server to verify its sha256 against what we get in the SafetyNet response. Below are the steps you can refer if applies to you too.

  1. Get SHA256 fingerprint of signing X509Certificate

    MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] der = cert.getEncoded(); md.update(der); byte[] sha256 = md.digest();

  2. Encode sha256 to base64 string

    String checksum = Base64.getEncoder().encodeToString(sha256)

  3. Match checksum with apkCertificateDigestSha256 of SafetyNet response

Solution 2:

I think this can help you

1.Find AttestationStatement file in GG example. and add this function:

public  String bytesToHex(byte[] bytes) {
    StringBufferresult=newStringBuffer();
    for (byte b : bytes) result.append(Integer.toString((b & 0xff) + 0x100, 16).substring(1));
    return result.toString();
}

2.Find getApkCertificateDigestSha256 function and edit like this:

publicbyte[][] getApkCertificateDigestSha256() {
    byte[][] certs = newbyte[apkCertificateDigestSha256.length][];
    for (int i = 0; i < apkCertificateDigestSha256.length; i++) {
        certs[i] = Base64.decodeBase64(apkCertificateDigestSha256[i]);
        System.out.println(bytesToHex(certs[i]));
    }
    return certs;
}

3.Find process() function in OnlineVerrify and add like this:

if (stmt.getApkPackageName() != null && stmt.getApkDigestSha256() != null) {
        System.out.println("APK package name: " + stmt.getApkPackageName());
        System.out.println("APK digest SHA256: " + Arrays.toString(stmt.getApkDigestSha256()));
        System.out.println("APK certificate digest SHA256: " +
                Arrays.deepToString(stmt.getApkCertificateDigestSha256()));
    }
  1. Now, run and you'll see the SHA-256 and let compare.

Not: there is no ":" charactor bettwen sha-256 generated cause i'm lazy. ^^.

Solution 3:

Check the code here as reference on how to do the validations: https://github.com/Gralls/SafetyNetSample/blob/master/Server/src/main/java/pl/patryk/springer/safetynet/Main.kt

I just found it while searching for the same thing, and all credit goes to the person that owns the repo.

Post a Comment for "Match Android Apk Sha256 With Safetynet Apkcertificatedigestsha256"