You can't publish code and yet keep it secret. In particular, the security of your system must not depend on the algorithm being secret. In fact, you should definitely, definitely only use publicly-known encryption functions (such as the ones built into the Android platform). Don't roll your own at all.
http://en.wikipedia.org/wiki/Kerckhoffs%27_principle You can and should keep the encryption key secret, such as by storing it in a private file. Make sure you generate a new key for each device -- if everyone gets the same private key file, it's not private anymore. :) On Wed, Oct 28, 2009 at 4:31 PM, z <[email protected]> wrote: > > I am only interested in how to stop someone from loading my class and > executes a function in it, let's say it's an encryption algorithm. > > On Oct 28, 3:38 pm, Chris Palmer <[email protected]> wrote: >> You can load and use the classes, but they will execute with the permission >> of your app, not of the app whose code you're borrowing. Or are you saying >> the code runs as the other app? >> >> Even if Android did stop app A from borrowing app B's code as found on the >> device, app A (or the developer of A) could still simply download the .apk >> off Market and borrow it that way. >> >> What's the threat you're worried about, exactly? >> >> On Oct 28, 2009 11:47 AM, "z" <[email protected]> wrote: >> >> As you know you can easily load any classes using this api call >> >> //ask for the code of the foreign context to be included and to ignore >> any security given by the cross-process(owner) execution >> //in working-environment to error checking ... >> Context tmpCtxt = createPackageContext("com.google.android.notepad", >> Context.CONTEXT_INCLUDE_CODE + Context.CONTEXT_IGNORE_SECURITY); >> Class<?> c = >> tmpCtxt.getClassLoader().loadClass >> ("the.name.of.a.package.already.deployed.on.the.device"); >> //do normal Java-Reflection things with c >> >> so does that means anyone can load my code and execute them using >> reflection? Is there anything that protects android from this kind of >> attacks?
