On Wed, May 11, 2011 at 8:47 PM, Nikolay Elenkov <[email protected]>wrote:
> Does this work at all? The signature is different from the public key, so > it > shouldn't. Even if it did, if an attacker can repackage your application, > they can replace the public key in the APK with their own. You have to > either do this on a server, or take measures to make the public key in > the apk really hard to get to. > Once they are to the point of modifying your application in order to pirate it, it is just a matter of how difficult you are going to make it for them to do this. I was offering the public cert as another variable you can use for obfuscation and hindrance. Certainly though just having your public key as a raw string in the code makes it fairly easy to find -- you probably want to do something to obfuscate it. You could also do things like using bytes from the public cert to modify data being processed by the app in a way that gets a correct result for something. Again though we are at the point where a pirate needs to modify the app to remove the anti-piracy code from it. If we assume that the protection is for client-side code (not relying on a server side component), this is all just a game of deciding how much time it is worth you spending on making it hard for others to pirate your app vs. how much you think that will actually reduce piracy. And a recent blog post I read that gives some good perspective to have on this: http://jeff-vogel.blogspot.com/2011/05/final-answer-for-what-to-do-to-prevent.html -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
