I want to develop a android sdk for our clients to use,how to ensure that only the client who apply for an APP_KEY can use my sdk? -

developers or clients want use skd should go website apply app_key.to apply app_key,they should offer app's package name,something "com.edward.myapp".also sha-1 of developers's certificate(generated keytool). can send app_key server verify app_key,the thing know app_key valid or invalid.but don't know if clients' app,it can else's app,and can package name.i don't want happen. how can verify ensure right app use sdk?

your sdk @ runtime can obtain sha1 of certificate used sign apk.

string getsignaturesha1(context context) {     packagemanager pm = context.getpackagemanager();     packageinfo info = null;     try {         info = pm.getpackageinfo(context.getpackagename(), packagemanager.get_signatures);     } catch (namenotfoundexception e) {         log.e(tag, "could not find info " + context.getpackagename());         return null;     }      byte[] signaturebytes = info.signatures[0].tobytearray();     messagedigest md = messagedigest.getinstance("sha");     md.update(signaturebytes);     byte[] digestbytes = md.digest();      stringbuilder builder = new stringbuilder();     (int = 0; < digestbytes.length; i++) {         // can omit if block if don't care colon separators         if (i > 0) {              builder.append(':');         }         builder.append(string.format("%02x", digestbytes[i] & 0xff));     }      return builder.tostring(); } 

you should once when app starts , cache result if need more once.