> > Does this work at all? The signature is different from the public key, so > > it > > shouldn't.
Yes it works, I wrote "MY_LONG_PUBLIC_KEY", but I meant "signature". thank you for replying Dianne, I knew it's a matter of time. Since the app costs less than 3$, I hope the three implemented level of anti- piracy will be enough..I agree I should obfuscate the cert, too, as I did with the LICENSED constant (0x0) I agree with the linked post, too. I really prefer to spend my time making my app nicer, more usable and efficient rather than burdening with key obfuscation and complex hashings. But the challenge of protecting something I really feel "mine" is too great to leave it easy to pirate. I would never have expected my app got cracked, for the simple reason i didn't think it was interesting. Now that I know it is, I like to make things more difficult to understand from a reverse engineered point of view. I'm learning a lot from this issue. Alessandro On 12 Mag, 09:46, Dianne Hackborn <[email protected]> wrote: > On Wed, May 11, 2011 at 8:47 PM, Nikolay Elenkov > <[email protected]>wrote: > > > Does this work at all? The signature is different from the public key, so > > it > > shouldn't. Even if it did, if an attacker can repackage your application, > > they can replace the public key in the APK with their own. You have to > > either do this on a server, or take measures to make the public key in > > the apk really hard to get to. > > Once they are to the point of modifying your application in order to pirate > it, it is just a matter of how difficult you are going to make it for them > to do this. I was offering the public cert as another variable you can use > for obfuscation and hindrance. Certainly though just having your public key > as a raw string in the code makes it fairly easy to find -- you probably > want to do something to obfuscate it. You could also do things like using > bytes from the public cert to modify data being processed by the app in a > way that gets a correct result for something. > > Again though we are at the point where a pirate needs to modify the app to > remove the anti-piracy code from it. If we assume that the protection is > for client-side code (not relying on a server side component), this is all > just a game of deciding how much time it is worth you spending on making it > hard for others to pirate your app vs. how much you think that will actually > reduce piracy. > > And a recent blog post I read that gives some good perspective to have on > this: > > http://jeff-vogel.blogspot.com/2011/05/final-answer-for-what-to-do-to... > > -- > Dianne Hackborn > Android framework engineer > [email protected] > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
