They use a CRC32 to protect the code? That's easily spoofed. It's only intended to detect accidental changes to the data.
On Oct 7, 12:23 pm, JonFHancock <[email protected]> wrote: > The Signature does not change on every build. The signature is not > the same as a CRC32. I have already put out 3 updates with various > code changes since I started using the server-side signature > checking. I haven't changed the server-side code, and the app keeps > on working. If I try a development build, it fails, because it is > signed with a development key rather than my key from my keystore. > > I'm not sure what makes it the same, but I'm guessing as long as the > package name is the same, and it is signed with the same key, it will > have the same signature. The package manager won't even update an app > if the signature is different. > > Still, my server-side method is susceptible to cracking. There is > still a string being passed to the server that can be forged if the > cracker finds where to inject it. I have probably made a silly > mistake in giving the POST variables semantic names. The obfuscator > can't change them because that would break things server-side. I > think in my next release, i am going to anonymize the > POST variables to arg1, arg2 etc... making it a little more confusing > to hack. > > I also update the api version number with every release, and deprecate > the api_version -2 every release. Thus forcing the users to update to > keep their app working, and making hackers have to do their work all > over again. > > On Oct 7, 2:33 am, String <[email protected]> wrote: > > > On Oct 7, 5:11 am, William Ferguson <[email protected]> > > wrote: > > > > The one thing that it seems they will have to do is to change your > > > package name to theirs, otherwise Market (AFAICT) won't allow it a > > > duplicate package name to be published. > > > So is it sufficient to just confirm that the package name is the same? > > > I don't think that helps. The pirates aren't interested in publishing > > it to the Market; they distribute it on their own sites and through > > forums. So they're free to keep the package names unchanged. > > > They have to change the signature, though. No getting around that. > > > String -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
