I need to make an app where you will open a PDF document, show it to a customer and he will electronically sign it(write his signature on a tablet).
From what I read you need the data from the signature being created (time stamp, pressure and time from drawing) and attach it to the PDF.
But is this enough? So to open a canvas, read the data and attach it to the PDF with the signature image itself or do I need to digitally sign the PDF as well? If this is it enough, then where to attach all that additional data(time stamp...)? - I plan on using itext library.
There are lots of aspects coming with your question. In the end it all comes down to your/your customers requirements of the process. Let me illustrate what you can do:
Firstly: There is a difference between a digital signature and a handwritten representation of a signature - although you can combine both...
<strong>Solution I</strong><ol> <li>Capture the signature image (from a canvas), create an image out of it </li> <li>Put the image into the PDF</li> </ol>
<strong>Solution II</strong><ol> <li>Same as above</li> <li>Create a standard PDF signature field, set the signature-image as its appearance and digitally sign the field and thus the document (you need a certificate for that, but it can be self-signed). The timestamp (and further infos like location, reason etc.) can also be added and are part of the signature</li> </ol>
<strong>Solution III</strong><ol> <li>Same as above</li> <li>Also collect the so called biometric data of the signature (x,y coordinates, pressure like you mentioned (however not always available) and timestamp for each coordinate pair</li> <li>Encrypt the biometric data and add it to the signature field (strongly oversimplified)</li> <li>Same as step 2 from above (cp. Solution II)</li> </ol>
<strong>Solution IV (Update)</strong>
As you mentioned in your comment you want an eIDAS compliant signature:
"I do not need it to be digitally signed what I need is basic e-signature that is valid underneath eIDAS"
<strong>To make it clear: eIDAS is a way to digitally sign PDF documents.</strong><ol> <li>Same as above</li> <li>If you want an eIDAS compliant eSignature you also need a certificate. There is no way around it. But the certificate can be self-signed so it shouldn't be a problem. The rest is the same like in Solution II (step 2)</li> </ol>
There may be other combinations (e.g. using qualified certificates from a smart card etc.) but in the end only you can decide what's the right solution for you. It depends on your requirements, your countries regulations and the legal necessities of the contracts you want to sign.
What are the differences of the solutions?
The first solution doesn't provide any possibility to verify the authenticity of the signer nor does it ensure that the document wasn't altered after the signature-image was added. Solution II provides exactly that however if self-signed certificates are used the signer cannot be identified (anybody could have signed that document). To prove that, you have to use qualified certificates or go with solution III.
<li>If the signer should sign at a certain place it makes sense to add empty signature field(s) when creating the document. Then when opened in your application a user can click on the signature field he wants to sign.</li>
<li>There are many existing solutions you could use exactly for that use case. Thus you also have to ask yourself: Why to reinvent the wheel? </li>
<li>Most of those solutions also don't directly sign the document on the (android) client but do the actual signing on a central server. Using that approach you don't need to re-implement you solution for each platform (iOS, windows phone, Webbrowser on a desktop pc etc.)</li>