Well, until we figure out how to test against the signature, I used
the method for finding the crc here:
http://www.javafaq.nu/java-example-code-230.html
using getApplicationContext().getPackageCodePath() as the file name.
Fortunately, my app is 100% dependent on server data. So i just post
the crc with every call to the server, and do this before anything
else:
$valid_crcs = array(43533464345,9905847384);
if( !in_array($_POST[crc],$valid_crcs) ){
die();
}
I'm only just testing it, and I expect it to become a hassle because I
maintain a market and off-market version, and a beta for each, so four
current version, plus supporting old versions. The crc array is going
to get long. Add in the Amazon market, and Verizon market... ugh...
Still, it seems like it might be effective.
Of course, if the hacker is good enough, they can check the crc before
they modify it, then hard code that crc into the calls to the web
server. So maybe it won't be effective at all...
On Oct 1, 4:52 pm, DanH <[email protected]> wrote:
> Yeah, that's essentially what I was saying.
>
> On Oct 1, 4:45 pm, Kostya Vasilyev <[email protected]> wrote:
>
>
>
>
>
>
>
> > Regarding signature checking - I think having LVL check the signature
> > against the correct one (known to Market) would be very useful in thwarting
> > attacks on LVL based on modifying the application code.
>
> > Pirates (hackers) don't have access to the developer's private key, so after
> > modifying the application, they have to sign it using some other key. This
> > could be detected by the Market server when performing LVL checks.
>
> > --
> > Kostya Vasilyev --http://kmansoft.wordpress.com
>
> > 02.10.2010 1:12 пользователь "DanH" <[email protected]> написал:
>
> > In theory there's no need to checksum your apk file, unless you
> > suspect it's being dynamically modified. The apk was signed with your
> > private key, and can't be modified by anyone else without invalidating
> > the signature.
>
> > What you really want to be sure of is that the application is signed
> > with your certificate. (Of course, I've not yet found a way to access
> > that info.)
>
> > On Sep 28, 1:30 am, Asker <[email protected]> wrote:
>
> > > Hi,
>
> > > Following the examples given by Johns Trevor in order to secure
> > > Android LVL Applications...
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
