CertificateToolsHP 1.0


#1

CertificateToolsHP Version 1.0 .

As my HackProtect extension is getting very large, I am releasing some of the functions as standalone extensions. CertificateToolsHP provides you three different certificate analysis functions on you APK to make sure it has not been cloned, patched, or hacked and resigned.

Blocks

Instructions

If your app/APK is modified after it is released, it has to be resigned.

Just before you are about to publish, create a label and use the WhatIsSig block like the example below. Download the APK, run the app on an emulator or a device. Put the WhatIsSig into a label and record what is returned.

image

Move back to Creator, and insert that ID into the APKSig block. This will check what you entered and the signature returned at run time. They should match. This is a boolean True/False.

Now you can use that APKSig block to test to make sure the signature at runtime matches the one you expect it to be. Don’t use this method when using Google Play App Signing since Google removes the original signature and add another one, so this method will fail. . Here is an example of it in use. You want to do something more graceful of course.

The IsAppCertificateDebug block checks if the app certificate is in debug. This should not occur when you export from App Invetor builders, so this is a bad thing if it happens. This is a boolean True/False.

You can use it like above.

The NumberOfAppCertificates block checks to see if there is more than one signature on the apk. Your app should not be signed more than once, and if it is, it could be patched. This is a boolean True/False. True means there is more than one certificate and that is probably bad.

CertificateToolsHP.aix (12.4 KB)


#2

Cool! I really like it…