Hopefully you understand how to write such a tool: it seems that most people who try to write these tools do not, and security by obscurity sounds good until you get someone who pulls out a decompiler on your app.
To be clear: the way to circumvent this will entail some degree of static analysis, so for your tool to succeed you will have to "trick up" any kind of static analysis that an attacker is using (this generally requires a good degree of static analysis). I don't see how key signature code has anything to do with this "magic mechanism" to cause static analysis to fail. Generally the way to circumvent this idea is to: - Look at common ways a static analysis tool would defeat your technique (in this case, it would look at problematic paths that do the verification and then try to separate them out of the program, perhaps using program slicing or some other means). - Try to trip up (make the static analysis hard) the tool that would do the stripping. - Hope that it all goes well. And remember, even though this is "static analysis" it would presumably be done by a human with a tool for bytecode inspection: these are not too hard to cook up. The way to do this is basically to make your code really confusing and hard to follow, but any "compiler like" obfuscation mechanism (in the nature of proguard, for example) doesn't really work because good crackers know the patterns. In the end, your mechanism probably *can* be broken, but breaking it probably isn't worth the effort if you put enough in. But still, that's far from being able to say that the app is "uncrackable." Kris On Tue, Jan 15, 2013 at 12:54 PM, btschumy <[email protected]> wrote: > > > On Tuesday, January 15, 2013 2:56:20 AM UTC-7, b0b wrote: >> >> Note that this is not super useful to do that, as all automated cracking >> tools will detect your call with PackageManager.GET_SIGNATURES, and patch it >> out. > > > We think we have a mechanism that makes this fairly difficult. It is > unlikely any automated tool will succeed. However, time will tell. > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
