I want my app to have two flavors: users' version and developers' version. Apparently, it is to be done with Flutter flavors.
I want developers' version to contain a "secret developers' key". How to ensure that users' version package does not contain secret developers' key (so, to make it impossible for a hacker to download it from Google Play and extract secret developers' key).
I use Android. In the future I also want to compile for iOS, and to be sure it won't contain the secret developers' key.
It is not possible. Consider everything in the app as public and open. You can make it harder to extract the "secret developers key", but it is not impossible.
Related
I have Android application on Play Store and build backend using Ruby on Rails. but some people are making an exact copy of my application using reverse engineering and they are using my APIs. how can I add authentication in my API so that I can prevent access to those applications which are copied form my application. I have implemented basic token authentication in which I am sending token to my APIs from Android app.
You have to know that android apps are identified by their Digital signature and package name, you have to sign your package.
https://developer.android.com/studio/publish/app-signing
Even if you Sign your app, decompilation is feasible. you may add extra level of security with will provide by obfuscation tools the well-known of which is Proguard.
It seams you didn't obfuscate your app which results code readability after Decompilation. The paid solution is using Dexguard, which uses Proguard with additional level of encryption. Both are products of Guardsquare.
To get familiar with such tools refer to Guardsquare user-manual:
https://www.guardsquare.com/
I'm not an Android expert, but I am a Rails expert. That said, I don't think Rails API security will help you here. If they decompiled your Android app, they'll just do it again when you release a new version and get whatever authentication scheme you implemented too.
Sorry.
I had someone develop an app for my nonprofit, and was about to publish the apk in the Developer Console. I realized that it needs a "release" signature by the developer. This, of course, entails key generation on the developer's part. Any recommendation on how I should publish the app under my name and my nonprofit's name?
I have paid for the app itself to be developed, and this may be a one-off scenario with this developer, but I want a key that I can use to update the app in the future using other developers.
And guidance would be great. Thank you.
You need to generate a key yourself. The key generator of Android Studio is perfectly fine.
Then you should compile the source yourself using the key you just generated.
Alternatively you can send the key to your developers. But unless there is a good reason I wouldn't do that because it eases identitiy theft.
I have a SDK which is being used by many merchant applications. As all these applications use my SDK I want to expose the key stored in android keystore system generated by one application, to all the applications on that device. Is this possible in the current Android Keystore System?
Is it possible to make it world readable, similar to shared preference?
If this feature is not available then what would be a good method to do it as merchants will not let their APP being used as way of authenticator.
I checked the following links for possible solutions. After going through these links I understood that the key will be accessible to the app generates it and application can access it by reflection.
link
link
link
link
link
folks! I have problems with all that 'signing' stuff. I've followed instructions from developer site and signed my app using Eclipse ADT plugin. I've created keystore, filled information. But I dont't understand following thing: do I need to create separate keystore for every app?
No. You sign all of your apps with the same key.
well... if you ever think there is even a remote possibility of selling any individual apps, you should use a different key for each app and keep them separate. here is the rationale for this:
http://phandroid.com/2012/06/21/getting-acquired-how-to-transfer-ownership-of-your-android-app-or-game/
My company is attempting to publish its first Android app on the market, and we have gotten to the code signing step. We have keys that we use for our other products and use the windows codesign tools to sign our products. We would like to use the same key to sign the Android app, but (obviously) cannot use the windows signing tool (because it only signs .dll's and .exe's)
Does anyone know how to sign an android app using existing keys? (.spc and .pvk files)
Thanks in advance.
You can try converting the PVK into something for the Java keystore. The odds of the resulting key being something the Android Market will accept is low -- for example, the Android Market requires the key to be good for at least 25 years, that you will use the same key for the entire lifetime of your app, etc.
Since the Android key can be self-signed, you are not saving any money this way and are only wasting time and increasing risk, IMHO.