Digitally signing a shared library on Android

Question

I'm looking for a way to digitally sign a shared library so I can verify the authenticity of said library. My proposed solution was to hash the library and store this in the Java file that loads and calls the library but the problem is that this will fail if the library is updated in the future (unless all applications using the library are also updated).

I was thinking it might be possible to instead insert a hash of the library that has been signed with a private key to, for example, the end of the .so file so that this signed hash can be trusted and does not need to be stored in the calling application for verification. Is there any support for this in the Android APIs and will inserting data into the library in this way potentially cause problems for the library loader?

Answer 1

If your library is not being installed in /system/lib, it is normally used by one application - the one which had the library packed into its APK, and the typical update process will involve both the C++ library and the Java app. Therefore your verification does not need to survive updates.

On the other hand, the standard authentication techniques apply to library signing as well. E.g. add a new API "GetVersion(int salt)" which will return the shared secret (which may be the hash of the same file), "salted" with the random input. Now, you make reverse engineering your signature harder, because no man-in-the-middle analysis cannot give them a clue.

This may be easier to implement than looking for a signature at fixed offset of the library file, and harder to work around.

At any rate, appending an arbitrary blob at the end of a shared object will not cause problems with the loader. You can add the custom step of modifying the .so files in your Android.mk files. You must do it during or after the install step, which strips the debug info from the library.