Sample Usecase : I added a functionality to my app, which uses a scan sdk. But as soon as i added this, it increased my app size by 25MB. This part of the functionality is used only once by the user when he logs in. So is there any way i can load this functionality in runtime and unload it after the work is completed? I do not want this code to bloat the app all time.
I see Games doing this, they load helper libraries using zip when you launch the game and delete it when done. But i am not sure how it is done. Can anyone throw some light on this and how i can also achieve the same for my functionality?
Let me know if my question is unclear. Not sure if i have conveyed rightly.
Yes, you can download some necessary parts of your app on demand.
Restrictions:
Such behavior is enable only for API 21+
You should use app bundle
This mechanism's called Dynamic Delivery and has four use cases: At-install delivery, On demand delivery, Conditional delivery, Instant delivery.
Official documentation provides a lot of information and code samples too.
Related
I'm working on a drag and drop app builder. The concept is simple: users can build their apps visually, then the app's settings get turned into a configuration file which will be used by the app to decide how to construct itself (which views should be shown, how should the navigation look like, etc.)
My main concern is once the users download the apk (or ipa) file, they can decompile it, change things in the configuration file and re-compile/re-sign it to be published as a brand new app.
I was thinking about putting part of the logic on server side but that would introduce me the following problems:
If 1000 people built and published an app with my software, and each app sends only 10,000 daily requests to my server, that's already 10,000,000 requests per day, which would be pretty expensive.
If my server is down for any reason, I will have a lot of angry users coming at me.
Got any ideas?
There is no exact way of stopping decompilation/reverse engineering process of android app or apk !
But there Some chances to reduce the scope of code visiblity after decompilation/reverse engineering process !
Here are some habits I am sharing
1) Put important code on a Server : You may rely on remote procedure calls to a well protected server. This reduces the chance of your codes being stolen as the code will always remain on the server and nothing other than the results can be seen.
2) Debugger Detection Techniques : Insted of using the hard coated values or string use some formula or encryption methods which can help to hide the actual values
3) Write important parts of code in C/C++ :You can also write the important parts of your code in C/C++ and add them as a compiled library. While it can be disassembled into assembly code, reverse engineering a large library from assembly is extremely time-consuming. Java is easier to decompile in comparison to C/C++.
These are some key habits which are be taken care by good developer , You should also check out this answer as well !
Huh, I knew it wasn't possible to stop the decompilation/reverse engineering process on any android app. But, I thought maybe everything was possible! Like, perhaps something has changed since then, but no. Basically, I use the same steps as Nisarg Jani described. But, you have to pay some special attention to the C++ code. Any mistake will destroy everything that you have built to that moment. So, if you use a no-code desktop app builder, you should be aware of those "tips and tricks." Besides that, you should keep in mind that without the C++ code, you won't be able to do anything.
I'm working on building an App with Xamarin.Forms that will periodically (re: every second) potentially do something, regardless of if the application is in the foreground or background. Think something like a Timer/Clock.
I've found plenty of information on the Android side of things. It looks like prior to 8, you can run it in a service -- and at 8 or later, you'll need to run it as a Foreground Service.
e.g.
https://learn.microsoft.com/en-us/xamarin/android/app-fundamentals/services/foreground-services
From what I can tell, if I want to write any kind of controller to initialize this service (only if necessary in my client app), I'd have to add Mono.Android to the main shared library, which seems like the wrong thing to do, since the iOS version would ALSO have this dependency.
However, the iOS documentation is a little spotty when I search for it, as are best practices. I'm not sure if the correct route is to do Backgrounding -- or if that'll close things down.
e.g.
https://learn.microsoft.com/en-us/xamarin/ios/app-fundamentals/backgrounding/introduction-to-backgrounding-in-ios
It seems that Xamarin.Forms has come a LONG way with how things work in the past few years -- even 2016 to 2017 has a number of things changing. The web is crowded with tons of different (and no longer valid) tutorials on all of this.
Right now, I have a singleton instance of a state-tracker that can be called to update every second (or other controls, i.e. skip forward one minute).
Are there any best practices for cross-platform foreground service development? My best guess at this point is to publish Messaging events from that Controller, with specific code inside the main bodies of iOS and Android projects, which will then "know" how to create the appropriate services and then call the singleton instance of that state-tracker I mentioned before (which runs every second).
Are there any best practices or anything else that have something as simple as this published? Periodic calls, while the service is "initialized," to run in the background and make calls against a state service to track/announce different states, as necessary.
Xamarin.Forms is ONLY user-interface cross platform development, and as Xamarin.Forms is based on .Net you can also use everything available in .Net for cross platform development. And that is as far as it goes out of the box. Some cross platform features not available in .Net are covered with official and unofficial plugins like Xamarin.Essentials.
To conclude unless there is a plugin for what you require (and I am not aware), you need to use the native Android and iOS functions. Also you are limited with their limitations.
There is no way to predictably run the app on iOS in the background. While there might be some workarounds like using the push notifications none of them are something that will work well in general situation.
I've mobile SDK (iOS/Android) integrated into many different native apps. Once thing I noticed was it is very hard to maintain it once it released out to market. I am looking for a good design that allow developers to update the logic/ fix bugs quickly.
Instead of going thru dev --> test --> release --> adoption period, there should be a better way to quick sync up the updated logic.
For example, if my v1.0 has this logic
int adder(int a, int b){
return a+b
}
and suddenly I want to do some input validation and update the logic to
int adder(int a, int b){
return a+b+1
}
following current releasing flow, i would have to go thru the entire release process and wait for all apps to adopt my new v1.1 library (if I am lucky).
I thought of few ideas,
Remote config, for example, like Firebase Remote config. But this only allow me to tune the parameters, not really change any logic. At most, close this feature by having a flag to turn on and off it.
react native. I don't know how react native is going to help in this case since I am only a library, no UI involved.
Any other ideas?
I see 2 solutions, none is ideal though:
Make the treatment remote: Use a rest API to externalize your polymorphic operations. then you can update the API whenever you want and the application will follow - CONS: does not work if the phone is offline.
Do like cordova does. Having javascripts that are hosted and run locally in a hidden webview to get the results somehow (print the result raw in the body and read it from the native code). Your app, when online can check if a newer version of the script exists and download the update to adapt its behavior. Less easy than the number one but always works.
Background
I wish to get app's statistics that are available on the Developer-console website, but via Android itself, as an app.
What I've found
Google has a tool to get your app's reports (statistics, reviews, etc...) , called "gsutil" (more info here). I think it can do more, but that's what I wish to try out.
The problem
This tool is written in Python, and therefore it cannot be launched so easily on Android (and a bit on other Os's too, as you have to install Python runtime for this).
The question
Is there any way to use it on Android? Or maybe an alternative?
How about a library that does the same?
Check out the Andlytics app. They were able to accomplish this.
https://play.google.com/store/apps/details?id=com.github.andlyticsproject
The app I am working on is automatically cracked by antiLVL (although I am not using the LVL in my app).
In order of protecting my app from "one-click piracy", I am implementing tampering detection techniques explained at Google IO.
I have tried checking the signature both with getPackageInfo() and reflection (invoke()), but AntiLVL was able to crack the app automatically in both cases.
How can I write code that will not be automatically cracked by the current version of antiLVL (1.4.0)? I mean, apart from using JNI.
PS: I am not talking about preventing piracy in general. I just want the pirate to dig into the code by hand rather than using an automatic cracker.
The problem is, any API that only serves to check the validity of your application can be subverted and replaced with a version that always returns the result you expect. I haven't looked at Anti-LVL in detail, but I would imagine it is doing this, which is why your attempts to verify your code using Dalvik's built-in APIs for this purpose are failing.
In order to make it work, you'll have to do the work yourself, using only APIs that have multiple purposes and cannot be so easily subverted.
One way of doing it is to calculate a checksum of either your .apk file or just the classes.dex file inside it, and verify it against some external resource (online server with list of known correct versions, file downloaded to SD card on first execution, etc, resource in the .apk file that isn't included in classes.dex). This prevents code modification, which I believe is how anti-LVL works. I haven't tried this myself, but suspect it should work.
The Presentation Notes from Evading Pirates and Stopping Vampires
Some basic keypoints
Modify the LVL
Implement LVL Tamper Resistance
Use obfuscation
Add reflection
Please note, the #:r.page.X at the end of the links I've provided will not always bring you to that specific slide page number for whatever reason. If it doesn't, take note and browse manually.