[Android] - App Integrity check not valid

[duspada]

Describe the bug
When I try to use appIntegrity in React Native, it always indicates an invalid hash.

To Reproduce
For example, assuming my hash is:
SHA1: 5B:CD:E1:EF:90:B8:37:BE:9B:6D:28:3D:BA:10:67:C0:A7:55:54:05
SHA256: B1:8D:3D:EC:84:51:88:1D:94:17:66:A0:0E:F2:E5:EF:61:53:84:57:46:E2:63:08:06:55:7A:E9:E7:75:9D:83
I have tried as follows:
NUI6Q0Q6RTE6RUY6OTA6Qjg6Mzc6QkU6OUI6NkQ6Mjg6M0Q6QkE6MTA6Njc6QzA6QTc6NTU6NTQ6MDU= - base64 of SHA1

QjE6OEQ6M0Q6RUM6ODQ6NTE6ODg6MUQ6OTQ6MTc6NjY6QTA6MEU6RjI6RTU6RUY6NjE6NTM6ODQ6NTc6NDY6RTI6NjM6MDg6MDY6NTU6N0E6RTk6RTc6NzU6OUQ6ODM= - base64 of SHA256

with:
apksigner verify --print-certs app-release.apk:
Signer #1 certificate SHA-256 digest: b18d3dec8451881d941766a00ef2e5ef6153845746e2630806557ae9e7759d83
Signer #1 certificate SHA-1 digest: 5bcde1ef90b837be9b6d283dba1067c0a7555405
Signer #1 certificate MD5 digest: 9a35cbd3e84cacc3bcdfe6e4f52a4e10

So i tryed:
5bcde1ef90b837be9b6d283dba1067c0a7555405 - hash in lowerCase without colons
NWJjZGUxZWY5MGI4MzdiZTliNmQyODNkYmExMDY3YzBhNzU1NTQwNQ== - base64 of it

b18d3dec8451881d941766a00ef2e5ef6153845746e2630806557ae9e7759d83 - hash in lowerCase without colons
YjE4ZDNkZWM4NDUxODgxZDk0MTc2NmEwMGVmMmU1ZWY2MTUzODQ1NzQ2ZTI2MzA4MDY1NTdhZTllNzc1OWQ4Mw== - base64 of it

Nothing never works...

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Please complete the following information:

• Device: Android
• OS version: any
• Version of freeRASP: lastest

Additional context
In the documentation, the only available information is "the hashes must be in base64," but it doesn't specify which hash to use (whether SHA-1, SHA-256, or another) nor how to retrieve this hash...
It doesn't clarify if the hash should be processed (removing colons or not), if it should be lowercase, uppercase, or in another format, making it very difficult to use correctly.
Additionally, I believe that if there were a function that returns the current hash (the one the library is validating against), it would make debugging easier, as we could reverse-engineer the "expected" hash and thus implement it correctly.

[msikyna]

Hello @duspada ,

thank you for the question, the documentation moreover states 'If you are not sure how to get your certificate hash, you can check out the guide on our Github wiki.' . The wiki page specifies that it is SHA-256 and there is a link to the tool, which should be used for the conversion of the hash to base64: https://base64.guru/converter/encode/hex

In your case, when I put 'B1:8D:3D:EC:84:51:88:1D:94:17:66:A0:0E:F2:E5:EF:61:53:84:57:46:E2:63:08:06:55:7A:E9:E7:75:9D:83' into the tool, I receive 'sY097IRRiB2UF2agDvLl72FThFdG4mMIBlV66ed1nYM=', which should be put in the configuration.

We will try to improve this part of the documentation, thank you for the feedback 👍

Kind regards,
Talsec team