京东APP sign算法分析

京东APP中，每个请求的url中都带了一个 sign参数，用于校验请求的完整性，下面是一个Android客户端请求的抓包信息：

POST https://api.m.jd.com/client.action?functionId=liveAuthorInfoV8510&clientVersion=8.5.12&build=73078&client=android&d_brand=Xiaomi&d_model=2014813&osVersion=5.1.1&screen=1280*720&partner=tencent&aid=c71b2af5f9ca20fc&oaid=&eid=eidAc03c8721cbs6PHTyK55HT5+qiww7vvlzIDx0853LGjeaRzu5dCDwMMU4u6wZIK1Xw3NJteWAa2Q/Fauh+5TWxQtDOYzH6mXtIg9d9JAtWqSOjERo&sdkVersion=22&lang=zh_CN&uuid=858734013255931-2982c1c99793&area=7_402_3645_55818&networkType=wifi&wifiBssid=a1fc402ba8d76f46acdb1dce735ddcc8&st=1589890491440&sign=6c9e34b06e6828e4adbecd59805f6466&sv=101 HTTP/1.1
Cookie: whwswswws=zJyadqAKa78wMXWbEPPSk5dwE4Jos2c0yeTcpviBp7Q8NpoCluTFLEF1J7BlKgTcscVhTlCBSKiPPDLsOvzP8xg==;unionwsws={"devicefinger":"eidAc01c8126cbs6PHTyK55HT5+qiww7vvlzIDx0853LGjeaRzu5dCDwMMU4u6wZIK1Xw3NJteWAa2Q\/Fauh+5TWxQtDOYzH6mXtIg9d9JAtWqSOjERo","jmafinger":"zJya8qAKa78wMXWbEPPSk5dwE4Jos1c0yeTcpviBp7Q8NpoCluTFLEF1J7BlKgTcscVhTlCBSKiPPDLs9vzP8xg=="};
Charset: UTF-8
Connection: Keep-Alive
jdc-backup: whwswswws=zJyadqAKa78wMXWbEPPSk5dwE4Jos2c0yeTcpviBp7Q8NpoCluTFLEF1J7BlKgTcscVhTlCBSKiPPDLsOvzP8xg==;unionwsws={"devicefinger":"eidAc01c8126cbs6PHTyK55HT5+qiww7vvlzIDx0853LGjeaRzu5dCDwMMU4u6wZIK1Xw3NJteWAa2Q\/Fauh+5TWxQtDOYzH6mXtIg9d9JAtWqSOjERo","jmafinger":"zJya8qAKa78wMXWbEPPSk5dwE4Jos1c0yeTcpviBp7Q8NpoCluTFLEF1J7BlKgTcscVhTlCBSKiPPDLs9vzP8xg=="};
Accept-Encoding: gzip,deflate
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 93
Host: api.m.jd.com
User-Agent: okhttp/3.12.1

body=%7B%22authorId%22%3A%22591810%22%2C%22liveId%22%3A%221193445%22%2C%22position%22%3A0%7D&

通过反编译和分析客户端源码，我们发现url中的functionId、uuid、client、clientVersion还有body中的body参与sign的计算

通过a.LW().Mb().signature方法计算，最终通过JNI调用到so库中，京东APP的sign计算流程就这些，感兴趣的朋友可以联系。