I know that everybody can get their Twitter etc. api_key (+ secret). The same goes for Google Storage, Amazon S3 credentials, etc. My issue is that I do not want *my* credentials stolen and the bad guy pretending to be me with all the dire consequences.
So -- how about getting credentials from the Cloud (over SSL) and hiding in AccountManager's Account? On Dec 31, 6:24 am, Mark Murphy <[email protected]> wrote: > Moreover, you also have to ask yourself how much effort is needed for > a given item. > > For example, the OP was concerned about a Twitter API key. Personally, > I wouldn't worry about that, since there are no real barriers for > anyone else to get their own Twitter API key. > > > > On Fri, Dec 31, 2010 at 5:47 AM, Dianne Hackborn <[email protected]> wrote: > > Ultimately there is no good answer here. No matter what you do, you can't > > totally protect anything in your application. Your entire application is > > out in the world, where anyone can get at its contents, and with sufficient > > effort learn every deepest darkest secret it contains. > > The question you have to ask yourself is, how difficult does it need to be > > for someone to get at whatever you are concerned about? You can't make it > > impossible. You can make it easy or various levels of harder. Moving to > > native code gives you more tools for making it harder, but is never going to > > be a panacea. How much time are you willing to spend on this vs. how much > > harder you will make it? You are quickly going to find yourself reaching a > > point of diminishing returns where a large amount of effort moves the > > "harder to extract" needle only a little bit. > > > On Fri, Dec 31, 2010 at 2:36 AM, Samuh <[email protected]> wrote: > > >> This post [http://digital-identity.dk/2010/12/protecting-ip-in-android- > >> applications/] suggests that apart from obfuscation, we can try > >> implementing a portion of (sensitive) code natively. And then to > >> ensure that the native code is used/called by our application only, we > >> can match the digital keys used to sign the application. > > >> How effective will this prove to be? > > >> -- > >> You received this message because you are subscribed to the Google > >> Groups "Android Developers" group. > >> To post to this group, send email to [email protected] > >> To unsubscribe from this group, send email to > >> [email protected] > >> For more options, visit this group at > >>http://groups.google.com/group/android-developers?hl=en > > > -- > > Dianne Hackborn > > Android framework engineer > > [email protected] > > > Note: please don't send private questions to me, as I don't have time to > > provide private support, and so won't reply to such e-mails. All such > > questions should be posted on public forums, where I and others can see and > > answer them. > > > -- > > You received this message because you are subscribed to the Google > > Groups "Android Developers" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected] > > For more options, visit this group at > >http://groups.google.com/group/android-developers?hl=en > > -- > Mark Murphy (a Commons > Guy)http://commonsware.com|http://github.com/commonsguyhttp://commonsware.com/blog|http://twitter.com/commonsguy > > Warescription: Three Android Books, Plus Updates, One Low Price! -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
