Android:
public static String getSignatureSHA1(Context context) { String sign = null; try { // 通过包管理器获得指定包名包含签名的包信息 @SuppressLint("PackageManagerGetSignatures") PackageInfo packageInfo = context.getPackageManager() .getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES); // 通过返回的包信息获得签名数组 Signature[] signatures = packageInfo.signatures; sign = getSHA1FromSignature(signatures[0].toByteArray()); } catch (PackageManager.NameNotFoundException e) { e.printStackTrace(); } return sign; }
iOS:
+ (NSString *)bundleSeedID { NSDictionary *query = [NSDictionary dictionaryWithObjectsAndKeys: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecClass, @"bundleSeedID", (__bridge id)kSecAttrAccount, @"", (__bridge id)kSecAttrService, (id)kCFBooleanTrue, (__bridge id)kSecReturnAttributes, nil]; CFDictionaryRef result = nil; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result); if (status == errSecItemNotFound) status = SecItemAdd((__bridge CFDictionaryRef)query, (CFTypeRef *)&result); if (status != errSecSuccess) return nil; NSString *accessGroup = [(__bridge NSDictionary *)result objectForKey:(__bridge id)kSecAttrAccessGroup]; NSArray *components = [accessGroup componentsSeparatedByString:@"."]; NSString *bundleSeedID = [[components objectEnumerator] nextObject]; CFRelease(result); return bundleSeedID; }
关于bundleSeedID,即App ID Prefixes,通俗点是 app id 前缀。可以作为证书的指纹使用,详细请看官方文档:
https://developer.apple.com/library/archive/technotes/tn2311/_index.html
服务器通过记录该客服端的值,能够知晓当前app用的是什么证书签名。一定程度上可以避免原始包被改后,使用其它签名运行,至于具体的策略还是要结合多种其它手段。(譬如 bundle id 或是包名的校验,包体加密混淆,防hook的一些策略等)