In my implementation, the danger is not that the hacker will use my key to sign the apk after modifying it (not possible), but that the hacker will debug the post variables being sent to the server and copy the key, then hard code the string into the api call, do his other modifications, sign it with his key, and poof, my anti-piracy measures are broken.
However, I also log a the CRC32 of the current app with each api call. If I see a particular CRC32 that I know I didn't sign, I can block its api access selectively. Since I already require users to stay up to date within 2 versions, I have fairly good knowledge of what legitimate CRC32s are out there. On Oct 8, 2:01 am, Dianne Hackborn <hack...@android.com> wrote: > On Thu, Oct 7, 2010 at 6:22 PM, DanH <danhi...@ieee.org> wrote: > > So what is protecting the application from forgery? > > What do you mean? This is the cert it is signed with. Do you have some way > to force the cert? > > -- > Dianne Hackborn > Android framework engineer > hack...@android.com > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
