security - Verify Android apk has not been repackaged?

Question

Looking to improved the security of my Android app to flag if the .apk has been extracted, modified, repacked and resigned. Here's article from Zdnet noting the issue link1.

The concern is if the app is targeted by hackers they could add malicious code and upload to an alternate app store and dupe users in to downloading it.

So I'm thinking code to verify a checksum of the apk or signing certificate?

I appreciate the app code could be repacked and any security code removed, but it does increase the difficulty of repacking it, maybe enough for them to try another app.

[update]I know the Google Play store licensing module offers something similar but I'm looking for something for non paid apps and other/non marketplaces.

Answer 1

I ended up using Dexguard (paid obfuscator for Android). It offers a module that preforms apk verification. It is simple to implement and offers better than average protection.

Here's the code to do the check:

dexguard.util.TamperDetection.checkApk(context)

The main issue is where to store the checksum of the apk to verify against given that it could to be replaced. The dexguard way is to check it locally but using other features like class/string encryption and api hiding obscure this call.