Get checksum of the source codes in Android library

If you distribute via play you might have a look into SafetyNet: https://developer.android.com/training/safetynet/index.html

The checksum approach can be applied to single file or zip files. It will be a lengthy process to check the checksum of all files. I think you are in the wrong direction.

Firstly, There is no clear solution to this problem. Any app can be hacked - you can just make it hard to hack.

This is what is done to make it hard -

1. Encrypt the your apk - so that its hard to get to your source code. refer - APK to protect apk from reverse engineering - Check obfuscating tools.

2. Use data encryption while sending/receiving data from WebService. You can use HMAC to protect the data. Make sure your server is smart enough to block user/requesting-apps in case there are multiple bad calls. HMAC is easy to implement and there are libraries to generate HMAC keys.

Get the app signature which is tied to the certificate used to sign the APK

public static String getAppSignature(Context context) {    try {        for (Signature signature : context.getPackageManager().getPackageInfo(context.getPackageName(),                PackageManager.GET_SIGNATURES).signatures) {            MessageDigest md = MessageDigest.getInstance("SHA");            md.update(signature.toByteArray());            return Base64.encodeToString(md.digest(), Base64.DEFAULT);        }    } catch (Exception e) { /* Do nothing */ }    return null;}

This can be compared with a stored value to check if the signing certificate is the original or not.