Oh and the documentation on LVL obfuscation is to prevent people from easily *modifying* the app to *remove* its LVL checks. This is in many ways a very different issue than trying to protect data that is being stored on the device. The LVL design has the server holding the private key that it uses to sign its results, and the app has a public key it uses to verify results from the server. That way you can't spoof the result without knowing the private key (which is only on the server), so LVL will work without needing to trust the local device or Market app.
On Tue, Feb 15, 2011 at 9:18 AM, Dianne Hackborn <[email protected]>wrote: > If someone has root, there is little you can do to really protect yourself > from them. > > > On Tue, Feb 15, 2011 at 9:10 AM, rajorshi <[email protected]>wrote: > >> I have no experience in cryptography, hence this basic question about >> the AESObfuscator in Android LVL. The AESObfuscator uses app specific >> info (say package id), device specific info (say >> android.provider.Settings.Secure.ANDROID_ID) and a salt to generate a >> key to encrypt the SharedPreference file where the ServerManagedPolicy >> stores my license information. Now, the app id and the device id are >> well known. It will be a simple matter to decompile my app to obtain >> the salt even if I obfuscate my code. Won't somebody be able to >> generate the key using the three values and edit the SharedPreferences >> file easily on a rooted phone? On a non-rooted phone I guess I can >> just make the file private and nobody else will be able to access it, >> but, what do I do on rooted phones? I can't help feeling I am missing >> something here. Why else would the documentation on LVL put so much >> emphasis on refactoring and obfuscating LVL to prevent others from >> patching the library when a much simpler way would be to just get the >> salt and edit the preferences file? Can someone enlighten me on >> this? >> >> ~rajorshi >> >> -- >> You received this message because you are subscribed to the Google >> Groups "Android Developers" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/android-developers?hl=en >> > > > > -- > Dianne Hackborn > Android framework engineer > [email protected] > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them. > > -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
