Match Android apk SHA256 with SafetyNet apkCertificateDigestSha256

0 votes

I'm checking the integrity of the Android app using SafetyNet.

It goes like this:

  1. To get the response, I produce a nonce value on the server and transmit it to the SafetyNet service.
  2. The server responds, and I receive it. I now want to check the server to confirm the outcome.

I get a base64 string. I decode it and get the response below.

{
    "evaluationType": "BASIC",
    "ctsProfileMatch": false,
    "apkPackageName": "com.test.safetynetproject",
    "apkDigestSha256": "CbU9JzwRzQneYqnEXewB56ZzPm1DgQ4LGUK0eGlWmyM=",
    "nonce": "U2FnYXI=",
    "apkCertificateDigestSha256": [
        "AJRBzWCfJIY7QD2cp4sv9t0cCGMRGdxuID9VdPLV1H4="
    ],
    "timestampMs": 1624099377557,
    "basicIntegrity": false
}

Now I want to verify the apkCertificateDigestSha256. The sha256 created from my system using cmd is -

C:\Program Files\Java\jdk-11.0.11\bin>keytool -list -v -alias androiddebugkey -keystore C:\Users\.android\debug.keystore
Enter keystore password:
Alias name: androiddebugkey
Creation date: October 25, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug
Serial number: 1
Valid from: Tue October 25 11:48:00 IST 2022 until: Thu October 18 11:48:00 IST 2051
Certificate fingerprints:
         SHA1: 43:16:E2:63:DB:2A:53:7C:7D:BB:E9:80:7B:05:1C:74:7C:84:66:A2
         SHA256: 00:94:41:CD:60:9F:24:86:3B:40:3D:9C:A7:8B:2F:F6:DD:1C:08:63:11:19:DC:6E:20:3F:55:74:F2:D5:D4:7E
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1

Warning:
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.

The SHA256

00:94:41:CD:60:9F:24:86:3B:40:3D:9C:A7:8B:2F:F6:DD:1C:08:63:11:19:DC:6E:20:3F:55:74:F2:D5:D4:7E

Question - I want to verify if the apkCertificateDigestSha256 is the same as the app certificate. But unable to find any way to do it.

Tries- I tried to base64 decode the AJRBzWCfJIY7QD2cp4sv9t0cCGMRGdxuID9VdPLV1H4= and got a random byte array that does not match with the sha256 created in cmd.

Code -

val decode =
    String(
        Base64.decode(
            responseJws!!.apkCertificateDigestSha256!![0],
            Base64.DEFAULT
        ),
        StandardCharsets.UTF_8
    )

The output -

This is not matching 43:16:E2:63:DB:2A:53:7C:7D:BB:E9:80:7B:05:1C:74:7C:84:66:A2.

Update-

Found some ref but don't really know how to achieve this. 

How do I do the matching?

Nov 4, 2022 in Android by Edureka
• 13,620 points
1,160 views

1 answer to this question.

0 votes

You've missed a keyword in the download page:

You can verify the signing certificate on the APK matches this SHA256 fingerprint

Since APK files are really just ZIP files, open them with your preferred archive program (I prefer 7zip) and extract META-INFCERT.RSA from it. The certificate fingerprint can then be compared to what is stated on the website. Be aware that this differs from the hash of the entire certificate. To check it, you'll need to use keytool.

The Java JDK contains the keytool binary, which is located in the %ProgramFiles%Java jdk version>bin directory and can be used as follows:

keytool -printcert -file X:\Path\To\CERT.RSA

Output looks like this:

Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 16:24:42 BST 2010 until: Tue May 16 16:24:42 BST 2045
Certificate fingerprints:
         MD5:  D9:0D:B3:64:E3:2F:A3:A7:BD:A4:C2:90:FB:65:E3:10
         SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
         SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
         Signature algorithm name: SHA1withRSA
         Version: 3

As you can see, the SHA256 fingerprint corresponds to what we observed on the website.

Once this has been confirmed, you can proceed to install the APK on your Android device. You can rely on the Android operating system to verify that the APK is correctly signed since it won't let you load it unless you've confirmed that the signing certificate inside the APK matches the one that Signal expects you to see.

answered Nov 8, 2022 by Edureka
• 12,690 points

Related Questions In Android

0 votes
0 answers

Android Studio AVD - Emulator: Process finished with exit code 1

I'm having trouble starting my android emulator. ...READ MORE

Sep 21, 2022 in Android by Edureka
• 13,620 points
790 views
0 votes
0 answers

Invoke-customs are only supported starting with android 0 --min-api 26

Before, I was using Gradle build version ...READ MORE

Sep 21, 2022 in Android by Edureka
• 13,620 points
528 views
0 votes
0 answers

Android: why the ICICI iMobile Pay App shows the "rooted/jailbroken" device with my app?

The ICICI iMobile Pay app displays the ...READ MORE

Nov 9, 2022 in Android by Edureka
• 12,690 points
1,090 views
0 votes
1 answer

Proguard returned with error code 1. (com.google.android.gms)

You must run the following command if ...READ MORE

answered Nov 15, 2022 in Android by Edureka
• 13,620 points
889 views
0 votes
1 answer

Match Android apk SHA256 with SafetyNet apkCertificateDigestSha256

Google depreciated SafetyAPI and Introduced PlayIntegrity API ...READ MORE

answered Jun 6, 2022 in Others by nisha
• 2,210 points
1,024 views
0 votes
1 answer

Running docker on Android

According to the documentation, the Android kernel is ...READ MORE

answered Aug 1, 2018 in Docker by Kalgi
• 52,350 points
3,806 views
0 votes
1 answer

Task Canceled Exception while invoking AWS Lambda

I'm guessing either the TaskCanceledException instance is ...READ MORE

answered Sep 19, 2018 in AWS by Priyaj
• 58,020 points
2,486 views
0 votes
1 answer

Is there a way to run Python on Android?

YES! here’s a barcode scanner written in six ...READ MORE

answered Sep 19, 2018 in Python by Priyaj
• 58,020 points
1,039 views
0 votes
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP