Recently some mobile app security team suggest some security point related to signing certificate.
Here what they said:- “It has been observed that Self-signed certificates are less trustworthy because they have not been vetted through official channels(CA). CAs can revoke a certificate when they discover it has been compromised, but organizations cannot revoke a self-signed certificate. Instead they must replace or rotate the certificate.”
Here what they suggest:- “It is recommended to get the application signed with trusted CA.”
Alternative :- There is a way we can check every time when app start, in app.component.ts file like cross check the certificate we used while publishing this app are same by some key or hash value so we can take action accordingly if certificate same so continue or some bad guy changed and signed with other certificate so we can exit our app.
Note:
My app already published on playstore with the traditional signed certificate
" $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore myApp_KeyStore.keystore app-release-unsigned.apk "
@rTwo: you seem to be talking of signing certificates as they pertain to JAR signing of the app binary itself. @alexmigwi: you seem to be talking of an SSL certificate used by a backend REST service.
SSL pinning, while not useless in general, doesn’t seem to me to be particularly relevant here. If @alexmigwi’s right (and I’m therefore wrong), and what you are concerned about is an SSL cert for an HTTP server, I would just suggest using letsencrypt.
If what your “mobile security team” is concerned about is the key you use to sign your app binary, and this app is already available on the Google Play Store, then I think their fears are simply unfounded.
Imagine that you’re working in an legal office that has a mailroom. Since they’re a bunch of lawyers, they need to be sure that nobody sends random stuff out on their letterhead. So the mailroom contains the only official stationery, under lock and key, and you can’t access it. Crucially for the purposes of this discussion, the people in the mailroom know who you are, so when you hand them a handwritten note, they know it’s OK to type it up on corporate letterhead and send it out to the world.
That’s basically how the Play Store works. The key that you generate (which is used to self-sign your app for distribution) is known to Google, and that’s all that matters, because Google then can use the public half of that key to say “yep, that’s @rTwo all right, go ahead”. At that point, they do the equivalent of typing your memo up on corporate letterhead, by switching out your upload key for the (Google-authenticated) signing key.
@rapropos the newly edited question changes the context totally.
@rTwo as pointed out by @rapropos signing the app before you upload it to the play store is a claim that you own it or the signing party owns it. This is one of the main reasons you self sign and are supposed to keep the signing files safe from prying eyes and sign with the same key for new updates. This for example ensures none can create bogus or malicious app version and upload it to the store even if they manage to get you play store pass.
@alexmigwi and @rapropos Thank. I am already using official app signed method. But in-short I want to check if someone tempered my APK and sign with different certificate, So in case there is something like SignatureCheck.javaLike this In ionic ?
AFAIK once you upload an app to the store it can only be signed with a single certificate for the rest of its life (unless you loose it and its a tedious process to change it).
Your certificate is also password secured and unless someone has your keystore and its password plus access to your playstore account, its highly unlikely that someone will temper with your app store apk.
The other scenario would be if your users download a compromised app from other places besides the app store of which you cannot do much to stop them…
