Skip to content

Application integrity

App integrity levels

In the Token Server configuration you can select one of the two app integrity levels: NONE or FULL. The FULL level will perform several checks for the app, including a tampering/modification check by validating the signing key of the app. The hash of the key that was used to sign the app is calculated by the SDK at runtime during the DCR and it is verified against the hash stored in the Token Server. To obtain the hash for the Token Server configuration please use the guide below.

When the app integrity level is set to NONE, the SDK will perform only the most basic sanity checks (like the app's name), but will not validate the signing keys.

Obtain the hash of the signing key

When you create an Android app you need to sign it using either:

  • a debug key provided by Android Studio
  • a signing key created by yourself
  • sign the app with "upload key" and let the Google Play App Signing apply the final signing

If the key is stored on your machine, you can use keytool to obtain information about the signing key, as shown here. The Onegini SDK uses the SHA-256 fingerprint of the signing key.

Example keytool output with visible SHA-256 fingerprint

Alias name: androiddebugkey
Creation date: 2020-09-02
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug
Serial number: 1
Valid from: Wed Sep 02 17:20:09 CEST 2020 until: Fri Aug 26 17:20:09 CEST 2050
Certificate fingerprints:
     MD5:  F1:E6:A5:32:AB:05:4B:D3:A3:11:C0:D0:75:44:8C:8E
     SHA1: D4:0A:34:A6:B6:2B:05:82:60:C6:3D:1C:F8:5A:56:9D:8F:80:DF:82
     SHA256: D6:41:0F:E2:57:B1:B4:76:7A:72:47:0E:1A:76:0D:A2:9A:BB:89:5E:6F:08:AE:14:FF:B7:70:62:3C:FE:CD:1C
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1

If you use the Google Play App Signing then your signing key is stored in Google Play Store. You can find it in the Release > Setup > App Integrity tab.

Example key stored on Google Play Store

Store the app signatures

The SHA-256 value that is obtained must be stored in the Token Server admin console. Since the signing key can be rotated, therefore every application version has its list of valid signatures. The Token Server application version documentation provides more info on where and how to store the application signature for a specific application version.