Update expected signature in MainActivity and related changes for v0.2.2

Author: rajiv-singaseni

app/src/main/java/com/webileapps/protect/sample/MainActivity.kt

@@ -36,7 +36,7 @@ class MainActivity : AppActivity() {
                 SecurityChecker.SecurityCheckState.WARNING,  // ongoingCallCheck
                 SecurityChecker.SecurityCheckState.WARNING,  // appSignatureCheck
                 "com.webileapps.protect.sample",            // expectedPackageName
-                ""                                          // expectedSignature
+                "2A36434023EECADABE4F43B09C4BF95AB2594256BD0A2577424B85BC2C6E0CBB"                                          // expectedSignature
             )
         )
 

protect/src/main/java/com/webileapps/safeguard/FridaDetection.java

@@ -123,7 +123,9 @@ public boolean detectFridaDebugging() {
         boolean fridaTracer = detectFridaTracer();
 
         boolean detected = fridaServer || fridaPort || fridaLibrary || fridaTracer;
-        Log.e("Security>>>", "Frida detection result: Server=" + fridaServer + ", Port=" + fridaPort + ", Library=" + fridaLibrary + ", Tracer=" + fridaTracer);
+        if (detected) {
+            Log.e("Security>>>", "Frida detection result: Server=" + fridaServer + ", Port=" + fridaPort + ", Library=" + fridaLibrary + ", Tracer=" + fridaTracer);
+        }
 
         return detected;
     }

protect/src/main/java/com/webileapps/safeguard/SignatureComparison.java

@@ -7,54 +7,95 @@
 import android.os.Build;
 import android.util.Log;
 import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 
 public class SignatureComparison {
     private static final String TAG = "AppSignatureVerifier";
-
+    private static final String HASH_ALGORITHM = String.join("-", "SHA", "256");
+    
     public boolean isAppSignatureValid(Context context, String expectedSignatureHash) {
         try {
-            PackageManager packageManager = context.getPackageManager();
-            String packageName = context.getPackageName();
-            android.content.pm.PackageInfo packageInfo;
-            
-            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
-                packageInfo = packageManager.getPackageInfo(packageName, PackageManager.GET_SIGNING_CERTIFICATES);
-            } else {
-                packageInfo = packageManager.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
-            }
-
-            Signature[] signatures;
-            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
-                SigningInfo signingInfo = packageInfo.signingInfo;
-                if (signingInfo != null) {
-                    signatures = signingInfo.getApkContentsSigners();
-                } else {
-                    signatures = null;
-                }
-            } else {
-                signatures = packageInfo.signatures;
+            // Validate input parameters
+            if (context == null || expectedSignatureHash == null) {
+                throw new IllegalArgumentException("Null context or expected hash");
             }
 
-            if (signatures == null || signatures.length == 0) {
-                Log.e(TAG, "No signatures found for the app.");
+            final String packageName = context.getPackageName();
+            final Signature signature = getAppSignature(context, packageName);
+            
+            if (signature == null) {
+                Log.e(TAG, "No valid signature found");
                 return false;
             }
 
-            MessageDigest md = MessageDigest.getInstance("SHA-1");
-            byte[] originalDigest = md.digest(expectedSignatureHash.getBytes());
-            byte[] currentDigest = md.digest(signatures[0].toByteArray());
+            final String currentHash = calculateSignatureHash(signature);
+            final String normalizedExpected = normalizeHash(expectedSignatureHash);
+            final String normalizedCurrent = normalizeHash(currentHash);
 
-            boolean isValid = MessageDigest.isEqual(originalDigest, currentDigest);
-            if (isValid) {
-                Log.d(TAG, "App signature is valid.");
-            } else {
-                Log.e(TAG, "App signature is invalid! Possible tampering detected.");
+            final boolean isValid = constantTimeEquals(normalizedExpected, normalizedCurrent);
+            
+            if (!isValid) {
+                Log.w(TAG, "Signature mismatch!\n" +
+                        "Expected: " + normalizedExpected + "\n" +
+                        "Actual:   " + normalizedCurrent);
             }
-
+            
             return isValid;
         } catch (Exception e) {
-            Log.e(TAG, "Error verifying app signature", e);
+            Log.e(TAG, "Signature verification failed: " + e.getMessage());
             return false;
         }
     }
-}
+
+    private Signature getAppSignature(Context context, String packageName) 
+        throws PackageManager.NameNotFoundException {
+        final PackageManager pm = context.getPackageManager();
+        final int flags = Build.VERSION.SDK_INT >= Build.VERSION_CODES.P ?
+            PackageManager.GET_SIGNING_CERTIFICATES :
+            PackageManager.GET_SIGNATURES;
+
+        final android.content.pm.PackageInfo packageInfo = pm.getPackageInfo(packageName, flags);
+        
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+            final SigningInfo signingInfo = packageInfo.signingInfo;
+            return (signingInfo != null && signingInfo.hasMultipleSigners()) ? 
+                signingInfo.getApkContentsSigners()[0] : 
+                signingInfo != null ? signingInfo.getSigningCertificateHistory()[0] : null;
+        }
+        return packageInfo.signatures != null ? packageInfo.signatures[0] : null;
+    }
+
+    private String calculateSignatureHash(Signature signature) 
+        throws NoSuchAlgorithmException {
+        final MessageDigest md = MessageDigest.getInstance(HASH_ALGORITHM);
+        final byte[] hashBytes = md.digest(signature.toByteArray());
+        return bytesToHex(hashBytes);
+    }
+
+    // Constant-time comparison to prevent timing attacks
+    private boolean constantTimeEquals(String a, String b) {
+        if (a.length() != b.length()) {
+            return false;
+        }
+
+        int result = 0;
+        for (int i = 0; i < a.length(); i++) {
+            result |= a.charAt(i) ^ b.charAt(i);
+        }
+        return result == 0;
+    }
+
+    private String normalizeHash(String hash) {
+        return hash.replaceAll("[^A-Fa-f0-9]", "").toUpperCase();
+    }
+
+    private static String bytesToHex(byte[] bytes) {
+        final char[] hexChars = new char[bytes.length * 2];
+        for (int i = 0; i < bytes.length; i++) {
+            final int v = bytes[i] & 0xFF;
+            hexChars[i * 2] = "0123456789ABCDEF".charAt(v >>> 4);
+            hexChars[i * 2 + 1] = "0123456789ABCDEF".charAt(v & 0x0F);
+        }
+        return new String(hexChars);
+    }
+}