I'm checking the integrity of the Android app using SafetyNet.
It goes like this:
- To get the response, I produce a nonce value on the server and transmit it to the SafetyNet service.
- The server responds, and I receive it. I now want to check the server to confirm the outcome.
I get a base64 string. I decode it and get the response below.
Now I want to verify the apkCertificateDigestSha256. The sha256 created from my system using cmd is -
C:\Program Files\Java\jdk-11.0.11\bin>keytool -list -v -alias androiddebugkey -keystore C:\Users\.android\debug.keystore
Enter keystore password:
Alias name: androiddebugkey
Creation date: October 25, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug
Serial number: 1
Valid from: Tue October 25 11:48:00 IST 2022 until: Thu October 18 11:48:00 IST 2051
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 2048-bit RSA key
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
Question - I want to verify if the apkCertificateDigestSha256 is the same as the app certificate. But unable to find any way to do it.
Tries- I tried to base64 decode the AJRBzWCfJIY7QD2cp4sv9t0cCGMRGdxuID9VdPLV1H4= and got a random byte array that does not match with the sha256 created in cmd.
val decode =
The output -
This is not matching 43:16:E2:63:DB:2A:53:7C:7D:BB:E9:80:7B:05:1C:74:7C:84:66:A2.
Found some ref but don't really know how to achieve this.
How do I do the matching?