yep, good suggestions. we're probably going to lean on a mix of native code and obfuscation with server side validation coming in soon.
thanks On Sep 13, 10:08 pm, Nikolay Elenkov <[email protected]> wrote: > On Wed, Sep 14, 2011 at 12:56 AM, androidmediadeveloper > > <[email protected]> wrote: > > We are integrating with market to provideinappbilling on our app. > > The implementation guide says for additional security, we can use a > > server to do the key verification process. This is so we dont bake the > > apk with the public key I suppose. > > > Having a server side presence for us for right now is overkill. So, > > outside of the proguard obfuscation (which we are doing), are there > > any recommended security techniques that we can incorporate to make > > the apk tighter ? > > If you don't need to authenticate people who bought an item using IAB, > and let them download additional contents, a server might be overkill. > You can split the key and scramble it somehow so it's not an obvious > string resource if you are worried about people replacing it. However, > if someone wants to crack your app, they are far more likely to modify > the bytecode to bypass any checking routines you have, rather than > trying to replace the key and fool signature checking. > > The Google IO 'Evading Pirates and Stopping Vampires' presentation > has some tips on further obfuscation and integrity checking. It boils > down to: use native code and server-side code. You decide how far > you need to go. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
