Checksum Verification

An Android library checksum is a cryptographic value (hash) generated for an Android library file to ensure its integrity. The checksum is produced using algorithms like SHA-256, MD5, or others. When a library is distributed or used in an Android project, its checksum can be verified against a known, original checksum to confirm that the library has not been altered or corrupted during transit or installation.

This verification helps detect any unauthorized changes, such as malicious code injection or file corruption, which could potentially affect the security, functionality, or performance of an app. By comparing the checksum of the library with the original or expected checksum, developers and security tools can ensure that the library remains intact and secure.

How to verify Show SDK checksum

Get hash value:

  • Go to the MVN Repository.

  • Select the SDK version you're using.

  • Navigate to Files -> View All.

  • Select vgsshow-<VERSION>.aar.sha256.

  • Copy the hash value.

Add custom gradle task to verify hash value:

  • Go to your app build.gradle.kts.

  • Add custom gradle task:

tasks.register("verifyShowChecksum") {
    doLast {
        val dependencies = configurations.getByName("implementationDependenciesMetadata") // Get all dependencies with added as implementation
        val dependency = dependencies.find { it.name.contains("vgsshow") } // Get collect dependency

        println(dependency)

        val expectedChecksum = "<HASH_VALUE>" // Replace with the expected SHA-256 checksum

        if (dependency != null) {
            val sha256 = calculateSHA256(dependency) // Calculate show dependency SHA-256 checksum

            println("Downloaded artifact checksum: $sha256")

            if (sha256 == expectedChecksum) {
                println("Checksum matches. The artifact is valid.")
            } else {
                throw Exception("Checksum mismatch! The artifact may be corrupted or tampered with.")
            }
        } else {
            throw Exception("Artifact not found!")
        }
    }
}

// Function to calculate the SHA-256 checksum of a dependency file
fun calculateSHA256(file: File): String {
    val digest = MessageDigest.getInstance("SHA-256")
    file.inputStream().use { inputStream ->
        val buffer = ByteArray(8192)
        var bytesRead: Int
        while (inputStream.read(buffer).also { bytesRead = it } != -1) {
            digest.update(buffer, 0, bytesRead)
        }
    }
    return digest.digest().joinToString("") { "%02x".format(it) }
}

  • Run checksum verification task:

./gradlew verifyShowChecksum
PreviousDebuggingNextSamples

Last updated