> They use a CRC32 to protect the code? That's easily spoofed. It's > only intended to detect accidental changes to the data.
What? I don't think anybody said they use a CRC32 to protect code. I was saying that the Signature does not change from build to build like a CRC32 would. On Oct 7, 10:58 am, DanH <[email protected]> wrote: > They use a CRC32 to protect the code? That's easily spoofed. It's > only intended to detect accidental changes to the data. > > On Oct 7, 12:23 pm, JonFHancock <[email protected]> wrote: > > > > > > > > > The Signature does not change on every build. The signature is not > > the same as a CRC32. I have already put out 3 updates with various > > code changes since I started using the server-side signature > > checking. I haven't changed the server-side code, and the app keeps > > on working. If I try a development build, it fails, because it is > > signed with a development key rather than my key from my keystore. > > > I'm not sure what makes it the same, but I'm guessing as long as the > > package name is the same, and it is signed with the same key, it will > > have the same signature. The package manager won't even update an app > > if the signature is different. > > > Still, my server-side method is susceptible to cracking. There is > > still a string being passed to the server that can be forged if the > > cracker finds where to inject it. I have probably made a silly > > mistake in giving the POST variables semantic names. The obfuscator > > can't change them because that would break things server-side. I > > think in my next release, i am going to anonymize the > > POST variables to arg1, arg2 etc... making it a little more confusing > > to hack. > > > I also update the api version number with every release, and deprecate > > the api_version -2 every release. Thus forcing the users to update to > > keep their app working, and making hackers have to do their work all > > over again. > > > On Oct 7, 2:33 am, String <[email protected]> wrote: > > > > On Oct 7, 5:11 am, William Ferguson <[email protected]> > > > wrote: > > > > > The one thing that it seems they will have to do is to change your > > > > package name to theirs, otherwise Market (AFAICT) won't allow it a > > > > duplicate package name to be published. > > > > So is it sufficient to just confirm that the package name is the same? > > > > I don't think that helps. The pirates aren't interested in publishing > > > it to the Market; they distribute it on their own sites and through > > > forums. So they're free to keep the package names unchanged. > > > > They have to change the signature, though. No getting around that. > > > > String -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
