This is a simple proof-of-concept app that enumerates installed packages and APK files on the external storage device and extracts the code signing certificate(s) for each.
A SHA1 fingerprint of each certificate public key is displayed and also stored in a file which maps package names to signature fingerprints.
Using this fingerprint database, the app is able to flag known fingerprints used for new packages (displayed in yellow) and unexpected fingerprints for known packages (displayed in red).
While the Android code signing security model requires upgrades to use the same signing key, it is still possible to get an unexpected signature if an app is uninstalled and reinstalled.
- Check that Market apps that purport to be from the same publisher are signed with the same key.
- Check that non-Market apps are signed with a known key before installing.
- Still need to determine whether the PackageManager interface that extracts signatures is simply extracting the certificate value or also validating the signatures on the package, particularly in the external storage device case.