Use Keystore Hash for Encryption #89
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Generate the 'obfuscator' using a combination of the Package Name and Keystore Hash
Add -PkeyHash
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
I have changed the encryption process to use the app signing
keystore hashalong with the packageName.Reason
By using this plugin, the secret key in the app has been moved to the native layer, making it much harder to access through decompilation. Although it is technically possible to decompile the .so file to uncover its contents, this process is extremely challenging. Nevertheless, after a significant amount of time and effort, I was able to import the .so file into another project and retrieve the secret key.
Of course, this plugin returns incorrect values if the package name doesn't match. However, since the package name is easily exposed, I believe it's not secure enough on its own, which is why I created this PR.
Method
I have added a mandatory
-PkeyHashinput. Users are required to enter the hash of the keystore they used to build their app here.Additionally, I have modified the existing obfuscator generation method from
SHA(packageName)toSHA(packageName + keyHash).To prevent the keyHash from being exposed, it is only used during the creation of the obfuscator and is not stored in the native layer. During runtime, the keyHash is loaded by accessing the PackageManager API in signature.cpp.
In Conclusion
I agree with the statement, "Nothing on the client-side is unbreakable." This PR was created to enhance security. even if just slightly.