before asking this question i searched hole internet about security of android and i know maybe proguard and obfuscation help me...
I have wrote a class that decrypt server response data and convert it to a map.
if anyone can decompile my java class or move my decryptor class to him app.he can cheat in my game and harmful financial damages.
if we cross "This is an stupid question!!!" then
is there any way to secure my code with 100% security?
what reference's you suggest me?
thanks alot
I think there are multiple facets to this issue. Security is not just about android or java abstraction, you want your entire system to be strong enough. For starters I will suggest you can develop an apiKey system that will add another layer of security, the apikey is linked to the email id of the downloading user, so even if someone were to decompile your app they would need an api key to access your services. But api keys are for basic authorisation purposes.You could also opt for OAuth2.0 tokens which are time based and are much more robust.
These links can help:
https://hueniverse.com/introducing-oauth-2-0-b5681da60ce2
https://www.scribd.com/document/33655/How-to-Design-a-Good-API-and-Why-it-Matters
Related
I am building a flutter android application for an e-commerce website that uses woocommerce. For performing crud operations with the woocommerce API it provides consumer_key and consumer_secret. Right now, my application just has those written into the source code. However, I have come to know that an attacker can de-compile my app to get the keys.
Googling about it, I found these -
People saying limit authentication to the servers but how is that possible in this case?
Code obfuscation which still leaves the keys in the app
flutter_secure_storage package wont help because I would have to store it anyway which means it still ends up in the code.
Some advice or solution to this problem is what I am looking for here. Is there a way around this?
I want to build an Android Application in which the user gives permission to my server-side script to read their files.
Seems pretty straight-forward, I've made an app where the application can access the user's files.
However, giving access to the server is a lot harder, thanks to OAuth2.0 which has me confused as hell.
Is it even possible to build what I want, and if so, how can I achieve this? Links to tutorials are also accepted.
This is the library I used at a previous job and it saved me a lot of the hassle in dealing with the Google API directly. Just be sure to follow the authentication part carefully as you need the .ovpn file in order to access your drive.
I am using confidential data(like URL's, secret code etc) in my android application.
I want to protect my confidential data to access from the outside world (some thing like decompiling my class files etc.)
Please let me know what I need to do so that It can not be hacked by hackers.
Thanks.
By using encryption and decryption you can protect your data. This is - sample example
Content generated by an app that is deployed on a user's device cannot be 100% secure, but you can make attacker's life difficult. The idea is to make it difficult enough for cracking not to be worthwhile.
This article (and linked related articles) is about using cryptography. This is a good way to get started in securing generated or exchanged contents.
This article (and linked related articles, too) is about obfuscating your application code. The purpose of obfuscation is to make the reverse-engineering of your app more difficult once decompiled.
And this SO post can also be helpful to get started but the proposed implementation has an issue and needs revisiting (It works but has a hole. I've put an EDIT note in the post itself to explain that further).
That is not possible. If it is inside the app, it is vulnerable to attackers.
I am developing a tool which scans android apps and shows the vulnerabilites found in it.I am stuck at one of OWASP vulnerability i.e Insufficient Transport layer protection. I am not able to find vulnerable code to create a pattern so that i can cross check it with any app. Please if you have any vulnerable code related to this vulnerability please tell me.
Thanks in advance
Basically what you have to check is, wether encryption is used for operations on the network.
For example: Is SSL/TLS enabled for Login-Requests? Is there any other sensitive information which is transferred in clear-text over the network? Is SSL configured in a secure way (e.g. no SSLv2)? and so on.
You can find a list on https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet what you have to consider while preventing this specific vulnerability.
However I think it's pretty hard to check if something isn't there...
I am not familiar with Android programming but I would look for any unencrypted socket creation or request, as this possibly is this kind of vulnerability.
Good luck ;-)
I have an app that connects and updates a users facebook status. I have ofcourse got a key for my app to verify who it is. Does this need to be encrypted and if so how can I achieve this. I have no previous knowledge of encryption and little of java so please could you link to anything useful as well.
Thanks
Its never a bad idea to encrypt any sensitive data. But if you are using Eclipse and the ADK to develop your app, the whole app is obfuscation with proguard. (see: http://developer.android.com/guide/developing/tools/proguard.html ) This makes it much harder to find the string, but not impossible.
Its not hard to encyrpt and decript strings in Android. Here is a short example:
http://www.androidsnippets.com/encryptdecrypt-strings
Something to keep in mind is that eventualy the string will be decrypted in memory and passed to a function. If someone is running your app in the emulator or device with in circuit emulation they will get the string. Just be ready for it, and have a plan with how to deal with it.