Application signature

The Onegini SDK provides additional security protecting an application against tampering/modification by calculating its Application Signature. The Application Signature is calculated by the SDK at runtime and it is verified against the Application Signature stored in the Token Server. To calculate the Application Signature for the Token Server configuration please use the signature calculation tool.

Obtain the Signature calculator

Onegini support can provide you with the application signature calculator. It can be downloaded from the Onegini Artficatory repository where also the Android SDK can be downloaded from. The tool is a java application that is packaged as a jar file. The artifact is called android-app-signature-calculator.

You must download the 1.0.0 version of the signature calculator tool.

Requirements

This feature is available since version 3.02.01 of the Onegini Android SDK. In order to execute the tool you need to have Java 8 installed on you machine.

Calculate value

Once you have obtained the signature calculator you can execute it. The tool is a java utility that you need to execute from the command line.

Perform the following command:

java -jar android-app-signature-calculator-1.0.0.jar {PATH_TO_APPLICATION_BINARY}

If the provided path is valid the tool will print the calculated signature value.

Calculated signature - a491d0374840ac684d6bcb4bf9fc93ee4d9731dbe2996b5a1db2313efb42b7e

Store the application signature

The value that is calculated must be stored in the Token Server admin console. Every application version has it's own specific application signature, since the signature will change for every build that you make of an application. The Token Server application version documentation provides more info on where and how to store the application signature for a specific application version.

Development mode

The application Signature changes whenever the application is modified. If the application signature changes you need to update the Token Server configuration with the new value. Communication will fail if the application signature that is configured in the Token Server configuration does not match the application signature of the application. To suppress this requirement turn on development mode in the Token Server application configuration.

Limitations

Please note that some custom firmwares for rooted devices (notably "AvatarRom") apply a zipalign when the application is installed, eventually changing the application signature. In such case, if the tampering detection is enabled, the SDK will not allow to use the tampered application.