Quote:
Originally Posted by Randy11
This is why I prefer download an application directly from the source.
|
But of course, but that is the most basic common sense - knowing that software can be tampered with;
unfortunately, on Android it may be impossible [to «download an application directly from the source»], because of Play as the main source [and developers only seldom releasing elsewhere]...
Fortunately, nonetheless, Android packages are
signed... So you can compare signatures...
EDIT: ...although it may not be straightforward, since I am not sure there exists a repository of keys for comparison.
This command, for example, will return keys:
Code:
unzip -p MyAndroidPacKage.apk META-INF/CERT.RSA | keytool -printcert
For example, if the SHA1 key, is the following, the package has to be from holders of the Onyx key:
20:55:FA:A2:A5:9A:FB:30:C6:08:2E:CC:F9:31:EF:01: DF:00:82:19
As per:
Code:
> unzip -p onyx--monitor-release.apk META-INF/CERT.RSA | keytool -printcert
Owner: CN=Zeng Zhu, OU=Onyx International, O=Onyx International, L=Guang Zhou, ST=Guang Dong, C=CN
Issuer: CN=Zeng Zhu, OU=Onyx International, O=Onyx International, L=Guang Zhou, ST=Guang Dong, C=CN
Serial number: 50c3e49a
Valid from: Sun Dec 09 02:08:42 CET 2012 until: Thu Apr 26 03:08:42 CEST 2040
Certificate fingerprints:
SHA1: 20:55:FA:A2:A5:9A:FB:30:C6:08:2E:CC:F9:31:EF:01:DF:00:82:19
SHA256: 02:5A:F5:EC:E2:A5:C5:0A:A9:CC:78:5B:81:B6:45:1F:49:98:64:15:A5:E6:A8:36:C8:AD:0B:54:04:85:BD:86
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key