I am trying to build an android telegram client using the famous TDLib. Unfortunately, I could not find any good tutorials or documentation about using this library in android. But, I've understood how the library works from the Java examples.
The problem is when implementing the library, I've to pass the api_id and api_hash to TDLib. I think these variables must be unknown to others, as this can reused for malicious purposes.
As the documentation does not provide any best practices about storing the api_id and api_hash, How can I make them unavailable to the public and securely manage it in the android app?
From the developer of TDLib
On Android the values can't be accessed without root permissions if
they are stored in any reasonable way. From the other side, they can
be extracted from the app's memory with root permissions. So you can't
do much besides storing them in the apps binary and obfuscating them
in any simple way.
and he says, if someone extracts the key and uses it for a malicious purpose, only the user is blocked
Related
Apache Log4J vulnerability https://www.csoonline.com/article/3644472/apache-log4j-vulnerability-actively-exploited-impacting-millions-of-java-based-apps.html is impacting a number of cloud services.
I am using log4j in my Android application.
How does it impact it or is there no impact at all?
I am assuming since the malicious actor could only run local scripts, it should not be an issue but I wanted to confirm.
Seems like Android apps are safe since JNDI isn't available on Android. I believe the following tweet was the first online mention of the vulnerability, and on the bottom of the second screenshot it says "Java's JNDI is not available on Android".
https://web.archive.org/web/20211209230040/https://twitter.com/P0rZ9/status/1468949890571337731
(original tweet got deleted https://twitter.com/P0rZ9/status/1468949890571337731/photo/2)
Developing an application of IOS, Android using React native.
The Firebase SDK uses this.
https://rnfirebase.io
Suppose you allow all Firestore security rules.
If the native application is reverse-engineered, will anyone be ready to read and write Firestore?
If you don't do anything with security rules, then all someone needs in order to read and write all your data is the name of your project. This is readily available by anyone looking at the contents of your APK or API, since it's not encrypted.
Even if you did encrypt that data, anyone looking at your APK or IPA will be able to see the code used to decrypt it.
You really need to use security rules to protect your users' data.
If you reverse engineered android app than you will get google-services-json file which is the basic and most important asset to connect to firebase.
As I can read RN-firebase documentation its a light-weight layer on-top of the native Firebase SDKs (iOS & Android) meaning it's just provide you with the methods to access already defined firebase services.
One thing you can do to protect your code is by using an encryption library to encode the JS and decode it at runtime before passing it to the bridge. The problem is that you'd have to ship the decryption key with the app code, so it would be trivial for a hacker to decrypt it if they were inclined to do so.
I want to build an Android Application in which the user gives permission to my server-side script to read their files.
Seems pretty straight-forward, I've made an app where the application can access the user's files.
However, giving access to the server is a lot harder, thanks to OAuth2.0 which has me confused as hell.
Is it even possible to build what I want, and if so, how can I achieve this? Links to tutorials are also accepted.
This is the library I used at a previous job and it saved me a lot of the hassle in dealing with the Google API directly. Just be sure to follow the authentication part carefully as you need the .ovpn file in order to access your drive.
I am using confidential data(like URL's, secret code etc) in my android application.
I want to protect my confidential data to access from the outside world (some thing like decompiling my class files etc.)
Please let me know what I need to do so that It can not be hacked by hackers.
Thanks.
By using encryption and decryption you can protect your data. This is - sample example
Content generated by an app that is deployed on a user's device cannot be 100% secure, but you can make attacker's life difficult. The idea is to make it difficult enough for cracking not to be worthwhile.
This article (and linked related articles) is about using cryptography. This is a good way to get started in securing generated or exchanged contents.
This article (and linked related articles, too) is about obfuscating your application code. The purpose of obfuscation is to make the reverse-engineering of your app more difficult once decompiled.
And this SO post can also be helpful to get started but the proposed implementation has an issue and needs revisiting (It works but has a hole. I've put an EDIT note in the post itself to explain that further).
That is not possible. If it is inside the app, it is vulnerable to attackers.
I've never made a game for a mobile so I'm not really sure what the proper convention for level info is. Basically I'm thinking that I include an xml file that I add to local diskspace for the app then load the level details (item positions, etc) from that xml file, this way when I have to update the game, add more levels, I only have the users download a small xml file. Is this method secure or are there other ways of doing this?
The security features on the BlackBerry can be pretty complicated, check out the second half of this article for a good summary of the various security features available:
http://programming4.us/mobile/2694.aspx
Here are some official BlackBerry docs on the topic too:
http://docs.blackberry.com/en/smartphone_users/deliverables/1487/Security_26381_11.jsp
FYI, most of this information concentrates on protecting data from unauthorized users, or from other malicious apps. Personally I wouldn't be too concerned about a sophisticated hacker changing my XML, unless I was giving away prizes for achievements!
Regarding file access:
Every Android App runs in it's own sandboxed environment with it's own system username. Data downloaded or residing in it's directory can not be read from other apps.
Google Developers on Security is worth reading.
In code, you can easily use
this.getFilesDir()
From within an activity subclass.
If a device is rooted or someone uses the adb shell from the sdk to access the app data directory, of course, he will be able to manipulate it, I assume.