I have Android application on Play Store and build backend using Ruby on Rails. but some people are making an exact copy of my application using reverse engineering and they are using my APIs. how can I add authentication in my API so that I can prevent access to those applications which are copied form my application. I have implemented basic token authentication in which I am sending token to my APIs from Android app.
You have to know that android apps are identified by their Digital signature and package name, you have to sign your package.
https://developer.android.com/studio/publish/app-signing
Even if you Sign your app, decompilation is feasible. you may add extra level of security with will provide by obfuscation tools the well-known of which is Proguard.
It seams you didn't obfuscate your app which results code readability after Decompilation. The paid solution is using Dexguard, which uses Proguard with additional level of encryption. Both are products of Guardsquare.
To get familiar with such tools refer to Guardsquare user-manual:
https://www.guardsquare.com/
I'm not an Android expert, but I am a Rails expert. That said, I don't think Rails API security will help you here. If they decompiled your Android app, they'll just do it again when you release a new version and get whatever authentication scheme you implemented too.
Sorry.
Related
I'm using the Mobile SDK to access DocuSign features via Android application (Kotlin).
For authentication, I'm using JWT.
My question is:
Is it possible to use a pre-defined signature (not sure if it's the correct term) like on the web? I mean something like this:
I've tried both signOffline and signOnline. In both cases, just the draw/handwriting signature is supported. I also already tried to call drawSignature and drawInitials, but doesn't seem do have any effect.
Could someone give some hint how to do this?
Currently, SDK supports only drawing of signature in both offline and online signing. Predefined signature is not supported yet in online signing. We will definitely add this feature to our Roadmap and will be available in future SDK releases.
We released SDK v1.4.0. In this release, we added support for using preconfigured signature in online signing.
Set the following SDK CustomSettings api as follows:
val customSettingsDelegate = DocuSign.getInstance().getCustomSettingsDelegate()
customSettingsDelegate.disableNativeComponentsInOnlineSigning(this, true)
How does one verify in our server that the android app is from an official source, say downloaded through google play? Since you can just basically extract android js bundle from the apk.
Depending on exactly what you are trying to achieve you can look into App Licensing https://developer.android.com/google/play/licensing/index.html
I had someone develop an app for my nonprofit, and was about to publish the apk in the Developer Console. I realized that it needs a "release" signature by the developer. This, of course, entails key generation on the developer's part. Any recommendation on how I should publish the app under my name and my nonprofit's name?
I have paid for the app itself to be developed, and this may be a one-off scenario with this developer, but I want a key that I can use to update the app in the future using other developers.
And guidance would be great. Thank you.
You need to generate a key yourself. The key generator of Android Studio is perfectly fine.
Then you should compile the source yourself using the key you just generated.
Alternatively you can send the key to your developers. But unless there is a good reason I wouldn't do that because it eases identitiy theft.
Looking to improved the security of my Android app to flag if the .apk has been extracted, modified, repacked and resigned. Here's article from Zdnet noting the issue link1.
The concern is if the app is targeted by hackers they could add malicious code and upload to an alternate app store and dupe users in to downloading it.
So I'm thinking code to verify a checksum of the apk or signing certificate?
I appreciate the app code could be repacked and any security code removed, but it does increase the difficulty of repacking it, maybe enough for them to try another app.
[update]I know the Google Play store licensing module offers something similar but I'm looking for something for non paid apps and other/non marketplaces.
I ended up using Dexguard (paid obfuscator for Android). It offers a module that preforms apk verification. It is simple to implement and offers better than average protection.
Here's the code to do the check:
dexguard.util.TamperDetection.checkApk(context)
The main issue is where to store the checksum of the apk to verify against given that it could to be replaced. The dexguard way is to check it locally but using other features like class/string encryption and api hiding obscure this call.
Here are some of the articles that could help you out.
Retrieving APK signature during runtime.
Self checking an APK signature.
How to check APK signature.
Use the Google licensing service It will connect with the play store to make sure the user purchased the app every few days. (you can set the amount) Also loook at ProGuard. It strips all the class, method, and variable names out of your code making it really hard to understand once its decompiled.
I am developing an android app and I am planning to publish it (paid app). I have heard that it is very easy to pirate Android apps (much easier than iphone). I was wondering from your experience or what you know, how can increase the security of my app? I know that I can never get it 100% secured but I want to make it harder for people to pirate it or distribute it illegally
Any ideas, experiences, comments you can share?
I released a free anti-malware app for Android, and making sure nobody hacked it was essential to its success. The biggest threats agains an app on the Android Market include leaked source code, copied/distributed paid apps, and re-keying. I explain each below and way to solve them.
Firstly, this paper describes how to reverse-engineer an Android application by unpacking the compiled code and viewing the source code. You will not be able to block this from happening to your app. Period. Someone with a will can always view your sourcecode if they get a copy of your apk (easily available on a rooted phone). The good news is that you can obfuscate the important pieces of your code making it harder to reverse engineer. Proguard is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. In order to prevent your important code from being read, however, you will need to move all vulnerable methods or variables to a file that is not an Activity, Service, or BroadcastReceiver. For full facts, read the documentation.
To protect agains illegally copy and distribution of your application, Google Play provides some licensing options. Unfortunately, LVL is also not entirely secure. A detailed HOW-TO for how to crack it (pre-Google Play) is available here.
Lastly, the paper linked above, as well as numerous scholarly articles and online blogs describe how, once the source code (or even obfuscated source code) is leaked, once can merely add some of their own, malicious code, resign the app, and publish it on the Android Market. The good news here is that, unless your android license key password is easily guessable, or if you give it out to someone else, the attacker will not be able to publish an application with the same license key. This not only protects you from blame, but it will also make it so that malicious application cannot access data available through your original application (such as SharedPreferences).
All in all, the best way to really secure your application from piracy is to correctly configure and use Proguard, Google Play Licensure, and to sign you final apk with a very secure license key.
You could add tamper checks combined with obfuscation to alert user/disable functionality /report to server if the app has been pirated. I use DexGuard for hardened obfuscation.
Tamper checks
Installer app - Use package manager to ensure the installing app is the play/amazon app store
Emulator check - Check system properties for telltale signs the app is being run on emulator which outside of dev could indicate attack/tampering
Debuggable check - Use package manager to check the debuggable flag, this should be off in product so could indicate attack/tampering
Signing certificate check - Use package manager to verify the app is signed with your developer certificate (this would be broken if someone unpacked and repacked/resigned the app)
update: Since answering this question, I've written a more detailed article on tamper detection.
Have a look at the Google Play licensing framework.
http://developer.android.com/guide/market/licensing/index.html
This is your best choice.
Google Play Licensing is a network-based service that lets an
application query a trusted Google Play licensing server to determine
whether the application is licensed to the current device user. The
licensing service is based on the capability of the Google Play
licensing server to determine whether a given user is licensed to use
a given application. Google Play considers a user to be licensed if
the user is a recorded purchaser of the application.