By the way: this doesn't belong on android-developers, it belongs on android-security-discuss. You'll probably get more publicity there from people who know things about Android security (into which this conversation has delved).
Kris On Tue, Jan 15, 2013 at 1:05 PM, Kristopher Micinski <[email protected]> wrote: > Hopefully you understand how to write such a tool: it seems that most > people who try to write these tools do not, and security by obscurity > sounds good until you get someone who pulls out a decompiler on your > app. > > To be clear: the way to circumvent this will entail some degree of > static analysis, so for your tool to succeed you will have to "trick > up" any kind of static analysis that an attacker is using (this > generally requires a good degree of static analysis). > > I don't see how key signature code has anything to do with this "magic > mechanism" to cause static analysis to fail. Generally the way to > circumvent this idea is to: > > - Look at common ways a static analysis tool would defeat your > technique (in this case, it would look at problematic paths that do > the verification and then try to separate them out of the program, > perhaps using program slicing or some other means). > - Try to trip up (make the static analysis hard) the tool that would > do the stripping. > - Hope that it all goes well. > > And remember, even though this is "static analysis" it would > presumably be done by a human with a tool for bytecode inspection: > these are not too hard to cook up. The way to do this is basically to > make your code really confusing and hard to follow, but any "compiler > like" obfuscation mechanism (in the nature of proguard, for example) > doesn't really work because good crackers know the patterns. > > In the end, your mechanism probably *can* be broken, but breaking it > probably isn't worth the effort if you put enough in. But still, > that's far from being able to say that the app is "uncrackable." > > Kris > > On Tue, Jan 15, 2013 at 12:54 PM, btschumy <[email protected]> wrote: >> >> >> On Tuesday, January 15, 2013 2:56:20 AM UTC-7, b0b wrote: >>> >>> Note that this is not super useful to do that, as all automated cracking >>> tools will detect your call with PackageManager.GET_SIGNATURES, and patch it >>> out. >> >> >> We think we have a mechanism that makes this fairly difficult. It is >> unlikely any automated tool will succeed. However, time will tell. >> >> -- >> You received this message because you are subscribed to the Google >> Groups "Android Developers" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
