4

I do have a question which buggs me. Whenever you use a Google API like Firebase Database you tell the Endpoint upon creation the package name of your app that is allowed to use it and also the Fingerprint of the certificate that you use to sign the app. Now when you try to use the API from another App (different package name) or changed the signing certificate (e.g. switched from debug to release) Google will reject the call.

This made me think. How does Google know the signing certificates fingerprint at runtime?

Can we use the same mechanism to secure a custom API Endpoint by checking the fingerprint? Getting the package name is easy and nothing to rely on, but I'm interested in the certificate fingerprint.

My goal is to authenticate requests on the server by something other than a hash of the parameters + salt and potentially a timestamp.

grAPPfruit
  • 2,041
  • 3
  • 20
  • 29
  • You add the certificate fingerprint of your app in the firebase console yourself, they just do the comparison. – Hristo Stoyanov Mar 06 '17 at 14:23
  • @HristoStoyanov comparing with what? When and how does the API get the fingerprint to send it along with the request? It's obvious that the fingerprint is on the server for comparison but how does the fingerprint from the client reach the server? – grAPPfruit Mar 06 '17 at 14:27

1 Answers1

1

I did some more research on that topic. Turns out that you can access the signing certificate at runtime like so:

Signature[] sigs = context.getPackageManager().getPackageInfo(context.getPackageName(),PackageManager.GET_SIGNATURES).signatures;
for (Signature sig : sigs) {
    Log.i("App", "Signature : " + sig.hashCode());
}

found here

Community
  • 1
  • 1
grAPPfruit
  • 2,041
  • 3
  • 20
  • 29