The server-side LVL could verify the application signature instead,
since anyone (pirates) changing the code would have to re-sign the
package. The signature is (I think) available to Market application on
the phone, and to the LVL back-end on the server.
Android Market's communication with the server and the application are
encrypted, and Market is signed with the platform key, which means it
can't be tampered with.
Don't know if there any vulnerabilities with this (other than rooted
phones), but then, I don't work for Google and shouldn't discuss
something I know nothing about :)
-- Kostya
22.10.2010 12:30, Jose пишет:
But you can check for the checksum in dozens of differents places in
your (ofuscated of course) code. It´s very easy and very fast
This will raising the bar for piracy one step more
On Oct 22, 9:18 am, noriato<[email protected]> wrote:
So then the check for the checksum could be removed... same problem.
Peter
On 22 Okt., 07:50, Jose<[email protected]> wrote:
I think that an easy way to tamper-proof apk would be:
1) Android Market computes a checksum for the apk when the apk is
uploaded
2) In the License Response (eg. in one extra), Android Market send
this value
3) The aplication computes the same checsum of itself. If the values
don`t match, just finis()
This could be very easy to do for Android Market developers...
Regards,
Jose
On Aug 24, 8:16 pm, Trevor Johns<[email protected]> wrote:
FYI: We have a blog post up on this topic. It covers many of the points I
made earlier, but I figured it's worth pointing out.
http://android-developers.blogspot.com/2010/08/licensing-server-news....
--
Trevor Johns
Google Developer Programs, Androidhttp://developer.android.com
<http://android-developers.blogspot.com/2010/08/licensing-server-news....>
On Tue, Aug 24, 2010 at 8:26 AM, a1<[email protected]> wrote:
But I'm not sure that native code is any harder to patch, and there
are still identifiable syscalls or calls back up to java for i/o to
show where it tries to accomplish verification.
First of all it's much harder to bypass especially if you are dealing
with optimized code and you will have to do it at least twice (for arm
abi and armv7 abi). Event toolchain setup is more complicated.
--
Bart Janusz (Beepstreet)
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]<android-developers%2Bunsubs
[email protected]>
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=e
--
Kostya Vasilyev -- WiFi Manager + pretty widget -- http://kmansoft.wordpress.com
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
