I'm developing an android library for a Fintech product. I want to restrict the usage of the AAR file only to the authenticated users. We have server validation with access key for each client. Is there any other client-side validation? What's the best mechanism to protect my library?
The best solution is to validate the package name of the hosting application and hash key of the signature at the server side.
Don't take the hash key as the parameter to your SDK, Let the SDK read it at runtime and pass it to the server.
public String getCertificateHash(Context context) {
String hashKey = "";
try {
PackageInfo info = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES);
for (Signature signature : info.signatures) {
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(signature.toByteArray());
hashKey = Base64.encodeToString(md.digest(), Base64.DEFAULT);
}
} catch (PackageManager.NameNotFoundException e) {
LogUtil.printObject(e);
} catch (NoSuchAlgorithmException e) {
LogUtil.printObject(e);
}
return hashKey.trim();
}