Running Jarsigner utility on android system

Question

I want to create a security app and want to check if a downloaded application is not tampered with, I found a solution to verify app using the jarsigner utility but can i do it programatically?

I have seen we can add binaries and use it programatically, can i do that in this scenario? HOW??

Answer 1

Android check if the APK signature verifies at install time, you don't have to do it manually. However, it doesn't necessarily mean that signature is your signature, anyone can re-sign an APK. And with the recent so called 'MasterKey' exploits, APKs can be modified without invalidating the signature (as far as Android is concerned). So, if you want to make sure you are getting the same binary you expect, calculate its SHA1, etc. hash and compare to what you are expecting. You can also check whether the signing certificate is your own. This will give you the binary certificate:

PackageManager pm = getPackageManager();
byte[] certDer = pm.getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES).signatures[0];

Answer 2

There is a maven plugin for this.you can use this for signing your APK file.https://code.google.com/p/maven-android-plugin/wiki/SigningAPKWithMavenJarsigner