The Signature does not change on every build. The signature is not the same as a CRC32. I have already put out 3 updates with various code changes since I started using the server-side signature checking. I haven't changed the server-side code, and the app keeps on working. If I try a development build, it fails, because it is signed with a development key rather than my key from my keystore.
I'm not sure what makes it the same, but I'm guessing as long as the package name is the same, and it is signed with the same key, it will have the same signature. The package manager won't even update an app if the signature is different. Still, my server-side method is susceptible to cracking. There is still a string being passed to the server that can be forged if the cracker finds where to inject it. I have probably made a silly mistake in giving the POST variables semantic names. The obfuscator can't change them because that would break things server-side. I think in my next release, i am going to anonymize the POST variables to arg1, arg2 etc... making it a little more confusing to hack. I also update the api version number with every release, and deprecate the api_version -2 every release. Thus forcing the users to update to keep their app working, and making hackers have to do their work all over again. On Oct 7, 2:33 am, String <[email protected]> wrote: > On Oct 7, 5:11 am, William Ferguson <[email protected]> > wrote: > > > The one thing that it seems they will have to do is to change your > > package name to theirs, otherwise Market (AFAICT) won't allow it a > > duplicate package name to be published. > > So is it sufficient to just confirm that the package name is the same? > > I don't think that helps. The pirates aren't interested in publishing > it to the Market; they distribute it on their own sites and through > forums. So they're free to keep the package names unchanged. > > They have to change the signature, though. No getting around that. > > String -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
