I have to implement in an Android application a function that allow me to sign a PDF, when i say "sign" I mean the digital signature (First and second name) affixed to the end of the document from the user.
I have access to a Samsung Note 4 (with stylus) then it would not be a problem, "write" on the display.
The question is: there is the possibility to sign a document using some library like itext or I must write a custom function ?
I guess you want to apply an electronic signature on a document using a user's handwriting with a pen. As has said #mkl, 'digital signature' concept is usually applied when using digital certificates and cryptography.
Handwritten electronic signature requirements
People tend to think that the handwritten signature consists of embedding an image, but so that your system has a minimum legal value in case of litigation you will need:
R1 - ensure the identity of the signer
R2 - Uniquely attach signature and document
R3 - protect integrity of document and signature
More or less these are the characteristics of digital signatures.
Handwritten signature on Android
The process on android should be like this:
R2) capture the user graph including biometrics(x,y,time,pressure) using a Canvas. Embed image and biometrics data into document using PDFBox or itext (client or server side)
R1) included biometric data in previous step allows a potential analysis of signature by an expert
R3) I suggest to apply a timestamp over document and signature evidences to protect the integrity and ensure the time of signature. Both itext and PDFBox support it
If you do not need legal value, then apply only the drawing part. The quality of your signature will be determined by the devices characteristics. For example a specific signature tablet can provide also the orientation of the pen
Android links
Drawing on Canvas and save image (see example, you can get pressure and time from event)
PDFBox, inserting image in pdf
PDFBox attach files to pdf
PDFBox digital-signature example with timestamp
You will find similar links for itext. Select the most suitable for your use case and whether you want to execute on Android or in the server side
Related
The 01 September 2010 Android Developers' Blog discusses Securing Android LVL Applications. In order to make an app tamper resistant it describes the following technique :-
In order for an attacker to remove the LVL from your code, they have to
modify your code. Unless done precisely, this can be detected by your
code. There are a few approaches you can use here.
The most obvious mechanism is to use a lightweight hash function, such
as CRC32, and build a hash of your application’s code. You can then
compare this checksum with a known good value. You can find the path
of your application’s files by calling context.GetApplicationInfo() —
just be sure not to compute a checksum of the file that contains your
checksum! (Consider storing this information on a third-party server.)
What does this mean? Which file(s) is it that is supposed to be put into the hash function? And how would you compare the hash with the checksum (because surely if you then added a checksum comparison check to your sourcecode and rebuilt it, you'd get a different checksum?
Am I correct in thinking that this method is ONLY of any use if your app is able to get the checksum from a separate server?
I need to make an app where you will open a PDF document, show it to a customer and he will electronically sign it(write his signature on a tablet).
From what I read you need the data from the signature being created (time stamp, pressure and time from drawing) and attach it to the PDF.
But is this enough? So to open a canvas, read the data and attach it to the PDF with the signature image itself or do I need to digitally sign the PDF as well? If this is it enough, then where to attach all that additional data(time stamp...)? - I plan on using itext library.
There are lots of aspects coming with your question. In the end it all comes down to your/your customers requirements of the process. Let me illustrate what you can do:
Firstly: There is a difference between a digital signature and a handwritten representation of a signature - although you can combine both...
Solution I
Capture the signature image (from a canvas), create an image out of it
Put the image into the PDF
Solution II
Same as above
Create a standard PDF signature field, set the signature-image as its appearance and digitally sign the field and thus the document (you need a certificate for that, but it can be self-signed). The timestamp (and further infos like location, reason etc.) can also be added and are part of the signature
Solution III
Same as above
Also collect the so called biometric data of the signature (x,y coordinates, pressure like you mentioned (however not always available) and timestamp for each coordinate pair
Encrypt the biometric data and add it to the signature field (strongly oversimplified)
Same as step 2 from above (cp. Solution II)
Solution IV (Update)
As you mentioned in your comment you want an eIDAS compliant signature:
"I do not need it to be digitally signed what I need is basic e-signature that is valid underneath eIDAS"
To make it clear: eIDAS is a way to digitally sign PDF documents.
Same as above
If you want an eIDAS compliant eSignature you also need a certificate. There is no way around it. But the certificate can be self-signed so it shouldn't be a problem. The rest is the same like in Solution II (step 2)
There may be other combinations (e.g. using qualified certificates from a smart card etc.) but in the end only you can decide what's the right solution for you. It depends on your requirements, your countries regulations and the legal necessities of the contracts you want to sign.
What are the differences of the solutions?
The first solution doesn't provide any possibility to verify the authenticity of the signer nor does it ensure that the document wasn't altered after the signature-image was added. Solution II provides exactly that however if self-signed certificates are used the signer cannot be identified (anybody could have signed that document). To prove that, you have to use qualified certificates or go with solution III.
Last remarks:
If the signer should sign at a certain place it makes sense to add empty signature field(s) when creating the document. Then when opened in your application a user can click on the signature field he wants to sign.
There are many existing solutions you could use exactly for that use case. Thus you also have to ask yourself: Why to reinvent the wheel?
Most of those solutions also don't directly sign the document on the (android) client but do the actual signing on a central server. Using that approach you don't need to re-implement you solution for each platform (iOS, windows phone, Webbrowser on a desktop pc etc.)
I have a finger print scanner connected to an arduino which transmits data to android device through BT,the FPS has only a built in limited capacity of 200 fingerprints and i need a much higher capacity.Is there a way I can transform the fingerprint templates provided by the FPS directly on an android device to a string , number or byte ?
FingerPrint sensor could produce picture of fingerprint or template (list of minutiae.
Template are created from picture by extracting minutiae.
Matching between 2 fingerprint are done on template.
So it's better to store template. It's required less storage and it's more faster (not need to extract minutiae at each match).
Picture could be converted in byte array.
Template are byte array.
Send us more details: What's fingerprint sensor ? Which Fingerprint SDK do you use ?
I have a look to your SDK and it look like a SDK I already used maybe it's another version. I never been able extract template in ISO format to use it outside sensor. And I never been able to extract template and re-inject it in sensor to use it to match.
But you have 2 methods
"DownChar" & "UpChar" to download and upload template in sensor.
I want to create a word document within an android app and send that document through mail.
Is there any tutorial for creating a word document in android. I have gone through several other questions on this website but i didn't got a clear answer.
can we do this on Android using Apache POI.
If any any sample example exist then please mention.
Thanks in advance.
You can use any Java library in Android, so I do think this would be the way you could accomplish what you want (using Apache POI).
You can send the attachment by adding it as an extra to the Intent you use to create a mail message (lots of examples of that).
Apache POI looks your best bet, but note that the component that deals with Word docs only supports simple files:
HWPF and XWPF for Word Documents
HWPF is our port of the Microsoft Word 97 (-2003) file format to pure Java. It supports read, and limited write capabilities. It also provides simple text extraction support for the older Word 6 and Word 95 formats. Please see the HWPF project page for more information. This component remains in early stages of development. It can already read and write simple files.
We are also working on the XWPF for the WordprocessingML (2007+) format from the OOXML specification. This provides read and write support for simpler files, along with text extraction capabilities.
You should seriously consider whether you can use a different format for your emails - plain text, or maybe HTML.
I have read through a number of posts and resources regarding AES, CommonCryptor, salt and MAC in search of a solution to a problem I am facing with the release of my mobile software library. I would like to pass an encrypted string to my iPhone and Android App via HTML and JavaScript in a WebView using custom URL Scheme, with the string as a parameter. The HTML file will be created on my site and then distributed to users to store on their web servers.
From what I have read, I would encrypt the string in the HTML file using a key before distributing it to the user. Then the same key would be stored in the library and used to decrypt the string. But if someone decompiles my App they would then have the key and be able to decrypt the string stored in the distributed HTML file. I know that the library can be easily decompiled, but providing the string along with the code is really giving it away. And the real danger it that one could use the HTML files to trigger nefarious actions in a hacked version of my library.
I really don’t want to make a call to my site to get the key or salt and I am not sure that would offer any protection. Would a random salt stored along with the key in the library work?
I am willing to put in the time to research, code and test this, but first I would like to know if this is even feasible using AES, CommonCryptor, salt or MAC. If we solve it here, it will be available to all as the solution to this problem.
Thank You
Compile your own openssl and crypro static libraries and include those two static modules into your own native .so module. Don't use internal Android SSL.
Sore the key deep inside in some protected manner (simple solution is to use an array of floats with some non trivial hashing). Decipher the encrypted messages in the native code. Decide whenever the message is OK or not also inside the native code. Don't return to Java with plain boolean values.
Whenever a hacker wants to crack your code he has to decompile ~800K of native code.