Let's say somebody managed to access my application's source code and injected his code, changed something, or used DvMap is it possible to detect this?
EDIT: changed "modifications" with "unwanted modifications" in title. Since it's obvious to detect changes especially if you are using VCS.
1. Use source control
Every time you make a change to your application's source code, commit / check it in to a source control service like Git, Mercurial or Team Foundation. If anyone changes your code, source control will inform you that you have changes that were not stored in source control - it will show you not only that the code was edited, but what the edits were (what was added, moved, deleted etc).
2. Use checksums
Every time you deploy your application to an .apk file, run a checksum on it and save the checksum value to a few locations with the version number. If you like, even write down the first and last 4 characters in the checksum for the version so that if anyone changes the checksum on your website etc to match their hacked version, you will know. You can't edit paper
3. If you have other contributors to your project, heavily document and review each other's code
This not only prevents bugs and silly mistakes being pushed to live / production builds, but it also stops anything getting passed someone who notices an intentional flaw. In the event someone adds a back door, it will be noticed.
4. Take basic security measures on your devices
This is a basic yet overlooked part of security. Essentially, lock your computer when you aren't using it. Use long and secure passwords, or a good password manager like LastPass or KeePass. Don't hand your passwords out to anyone, at all. Don't click on any suspicious links or open files that you don't trust. You get the idea.
Related
As at August 2015, the 'Drive API for Android' is not functioning as (loosely)documented, is effectively broken. The main sore points are as follows:
1) An app sharing the same APP_ID and logged in with the same Google User is meant to be able to find and access the same files as Google indicate (e.g. appX on device1 creates a folder named 'blahblah' (where no 'blahblah' folder already exists in the User's Drive), appX on device2 should be able to find that folder and upload/download files from it also...however this is not the case (or if it does work, it is intermittent and mostly not working at all)). This remains the case even after (many) requestSync calls and over 72hours of allowing Drive to sync itself.
2) A trashed folder is not observed as trashed, even after a requestSync call has succeeded. Such a trashed folder will still have isTrashed==false.
3) A permanently trashed folder (i.e. it is GONE from Drive, it is never coming back). Can still be found and "successfully" have folders and files created within it, however writing to such a file's contents will always yield a failure in Completion Event Service. Again, such a folder will still have isTrashed==false (which is abysmal).
Bug reports have been lodged (thanks to #DalmTo for the link) via: https://code.google.com/a/google.com/p/apps-api-issues/issues/entry?labels=Type-Defect,API-Drive
https://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=4003
https://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=4004
SO, the question: know a way around these issues?
UPDATE:
I've narrowed these problems down to my personal Google account (or my personal Drive, which has many, many files in it). That suggests these issues are symptoms of or closely related to https://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=3905
I can give you some points regarding the issue 1/ (syncing on multiple devices running the same app). I've been pointing out this already in April 2014 without satisfactory answer (actually resounding silence). So I switched back to the REST API and handled everything myself (using syncadapter, service, ...). The REST's algorithm is:
create/update/delete/ .... (execute() method)
dispatch resource ID ('id'+message) using GCM to other devices
let other devices deal with the change through the REST API (again, in service)
I've re-visited the GDAA a few times since and never got satisfactory results (requestSync). Finally, I got half-way happy when started to use 'completion events' (a year later, needless to say).
Again the algo is:
create ....
get ResourceId from completion
dispatch 'ResourceId'+message using GCM to other devices
let other devices deal with the change through the GDAA (using the ResourceId)
... and the point is:
During the time I was trying to make it work, I finally realized that the GDAA is not well suited for all applications (like the one we're discussing here). The GDAA goes through all kinds of hoops and loops to make the online/offline state transparent and at the same time to cache data and optimize network traffic, battery use, ... It creates latency, unpredictable states...
... so, in the end I stopped blaming the GDAA for not being a swiss-knife and do everything everybody ever dreamed up. It is up to the developer to FULLY understand the advantages / drawbacks of a toolbox he/she is using and decide upfront which tool to use. I know, the docs do not spell it out and believe me, I myself got caught in Magnus's excitement. I still remember pinoyyid's warning in January 2014, telling me not to jump in too early.
Good Luck
As per your response on the issue tracker, we believe this is an issue with sync for your particular account, potentially related to this issue. We'll continue discussion of this issue on the issue tracker.
I'm trying to install Kik Messenger twice. I have two accounts and don't like to log out because I lose all of my conversation history. I'm currently using Titanium backup's profile feature, which is a very nice fix, but it's still a pain having to switch back and forth between profiles. I might be looking for "perfect" when perfect doesn't exist. I am completely new to modding apks and Android in general, all of my work on this so far has been "trial and error". Anyways, here's what I have:
I have the Google Play version of Kik installed on my phone. I have extracted that app and modified the package name successfully using apktool. However, when I try to install, I get an error saying something about duplicate provider authority. So I did some research and learned that I'm supposed to edit this part of the AndroidManifest. So I have played around with that a little bit and after I change the authorities, I am able to install the modded app. However, it crashes immediately.
Does anyone know how to fix this problem with the provider/authorities?
The issue you're hitting is that the app has registered certain classes to handle particular events. These need to be unique across all installed apps and point to existing classes in the app that will perform some activity with the supplied information.
You bypassed the safety check when installing by changing the defined handlers in the Manifest but that didn't really fix it as they still need to actually point to a valid, working class that can handle the requests/events.
You would need to decompile, rename the classes involved and all references made to them and recompile the whole app to really fix the problem. However, I'd assume that it would likely be against the license. If the code is open source then it wouldn't be too big a task to rename some classes & packages then build the app. If it's closed source then it is a harder task.
What you can do is either set up your device to use multiple accounts (the OS not the app) as each user has a separate data storage and preference location that should allow you to have two configurations. Or you can request that the developers include some sort of multiple account handling or easy account swap feature.
So I have managed to get a couple apps up on the marketplace only to have a stray thought of what is the best way to go about managing my projects/apps within eclipse to accommodate future updates to the marketplace. My question resides within Eclipse and what to do with my projects/apps as I apply updates.
Do I simply copy my project/app, paste it and the increment the version information accordingly? Or am I continuously working on my published project/app? Or...Is there a recommended/preferred method of going about this. Since they are up and good on the marketplace I am leery of doing something that will cause problems for me later on down the line.
And don't change the package name....correct?
This is what I currently have on the Marketplace...
Wind Chill Calculator
True Love Game
First of all, everyone's posts were very helpful and I have spent some time looking over documentation through the links provided.
So...and brace for impact as I say this. Being one who has NEVER used any form of SCM for my projects this is all new to me (as everyone's faces cringe), which is why I am asking the original question in the first place. I hate to say tell me anything without doing my research...so within the past few hours using git within eclipse I have gleamed the following:
Team > Share Project ...ignores...any tags(for version info)which is what I am after...commits...THEN
Clone? File -> Import -> Git -> Git Repository at this point once I have cloned my project do I create a new tag with the new version info, and go through the commit process again? If this is the case I now have two items in my Git Repository. One of which has the single tag of 1.0, and the other item which contains two tags 1.0 and 1.1, and when I look at the history I see two tags Version 1.0 and Version 1.1. Then I just switch between the resources I need from within the repository?
I just want to make sure my process is correct before I begin to implement some of this on existing projects that are pretty extensive already. As for the rest I am just going to learn on the fly...branches
You might want to use a revision control system like SVN or git or one of dozens of other options, and continuously update the single project in Eclipse. The benefit of using source control is that you can branch into a new project for major changes, update your existing code for minor changes, and tag the branches so you can revert back to an old snapshot in the future.
I personally use bitbucket which is hosted remotely and is free. It supports SVN and Mercurial.
No, dont change the package name, that will make it new app, instead of upgrade of original.
Use a version control system, like SVN.
Manage Tags for a complete working state of code(through svn), so you can always revert back to that tag.
When ready for new release, increment version no. etc and update on market...
EDIT After addition in question:
Don't get much confused with various GIT/SVN working.. There main purpose is that they will allow you to switch your code back and forth to any point in past, that allows you to code in a way properly knowing that you can always revert back to a Working state.. and it is definitely of much more benefit in a Team , when multiple people are working on same codebase and possibly same files...
Being a long-time user of SVN, I recommend subclipse (svn for eclipse). When you're ready to release another version of your app, create a 'tag' for the release version and you'll always be able to go back to that exact version.
SVN has excellent docs. There is also TortoiseSVN for repo work outside of eclipse.
This question already has answers here:
I lost my .keystore file?
(12 answers)
Closed 9 years ago.
Based on my android keystore I created some apps. now, I want to update one of my programs but I lost my keystore. can I generate another one and update my app?
Thanks
You can create a new keystore, but the Android Market wont allow you to upload the apk as an update - worse still, if you try uploading the apk as a new app it will not allow it either as it knows there is a 'different' version of the same apk already in the market even if you delete your previous version from the market
Do your absolute best to find that keystore!!
When you find it, email it to yourself so you have a copy on your gmail that you can go and get in the case you loose it from your hard drive!
No, there is no chance to do that. You just learned how important a backup can be.
Brute Force is the only way!
Here is a script that helped me out:
https://code.google.com/p/android-keystore-password-recover/wiki/HowTo
Using a list of 5-10 possible words from memory, it recovered my password in <1 sec.
As everyone has said, you definitely need the key. There's no workaround for that. However, you might be surprised at how good the data recovery software can be, and how long the key may linger on your systems -- it's a tiny, tiny file, after all, and may not yet be overwritten. I was pleasantly surprised on both counts.
I develop on an OSX machine. I unintentionally deleted my app key around 6 weeks ago. When I tried to update, I realized my schoolboy error. I tried all the recovery tools I could find for OSX, but none could find the file -- not because it wasn't there, but because these tools are optimized to find the sorts of files the majority of users want back (photos, Word docs, etc.). They're definitely not looking for a 1KB file with an unusual file signature.
Now this next part is going to sound like a plug, but it isn't -- I don't have any connection to the developers:
The only recover tool I found that worked was one called Data Rescue by Prosoft Engineering (which I believe works for other files systems as well -- not just HFS+). It worked because it has a feature which allows you to train it to look for any file type -- even an Android key. You give it several examples. (I generated a few keys, filling in the data fields in as like manner as possible to the original). You then tell it to "deep search". If you're lucky, you'll get your key back in the "custom files" section.
For me, it was a life saver.
It's $100 to purchase, so it's not cheap, but it's worth it if you've got a mass of users and no further means of feeding them updates.
I believe they allow you 1 free file recovery in demo mode, but, unfortunately, in my case, I had several keys and could not tell which one was the one I needed without recovering them all (file names are not preserved on HFS+).
Try it first in demo mode, you may get lucky and be able to recover the key without paying anything.
May this message help someone. It's a sickening feeling, I know, but there may be relief.
If you lost a keystore file, don't create/update the new one with another set of value. First do the thorough search. Because it will overwrite the old one, so it will not match to your previous apk.
If you use eclipse most probably it will store in default path. For MAC (eclipse) it will be in your elispse installation path something like:
/Applications/eclipse/Eclipse.app/Contents/MacOS/
then your keystore file without any extension. You need root privilege to access this path (file).
I want to refine this a little bit because down-votes indicate to me that people don't understand that these suggestions are like "last hope" approach for someone who got into the state described in the question.
Check your console input history and/or ant scripts you have been using if you have them. Keep in mind that the console history will not be saved if you were promoted for password but if you entered it within for example signing command you can find it.
You mentioned you have a zip with a password in which your certificate file is stored, you could try just brute force opening that with many tools available.
People will say "Yea but what if you used strong password, you should bla,bla,bla..." Unfortunately in that case tough-luck. But people are people and they sometimes use simple passwords.
For you any tool that can provide dictionary attacks in which you can enter your own words and set them to some passwords you suspect might help you. Also if password is short enough with today CPUs even regular brute force guessing might work since your zip file does not have any limitation on number of guesses so you will not get blocked as if you tried to brute force some account on a website.
So, I have found a bug in a specific sdk that causes it to fail on some Android phones after re-installing a new version of an app which uses the sdk (via adb install -r, and presumably when a user gets an update that has been pushed to the Android market). Is there any way to force an application's data to automatically be cleared upon update of the app? I realize there are different ways that data could be stored, but I just need to essentially simulate an invocation of the "Clear Data" button that'd you find when browsing to the application in the "Manage Applications" section of the Settings (i.e. I just want all data gone).
I am an Android noob and am doing minimal Java coding on this project, so I am basically looking for the simplest solution here. I suppose I could settle on storing a "currentVersion" to disk and then checking it upon launch every time to see if the real current version matches the version that was written to disk on the last launch. Is that the only real way to do this? If so, what's the simplest way to do so?
Thanks!
Is there any way to force an application's data to automatically be cleared upon update of the app?
No, at least for my definition of "automatic".
I suppose I could settle on storing a "currentVersion" to disk and then checking it upon launch every time to see if the real current version matches the version that was written to disk on the last launch. Is that the only real way to do this?
I'd name it lastKnownVersion, but otherwise this approach seems sound and probably is your only viable option.
If so, what's the simplest way to do so?
Ummm...do exactly what you said. Use Java I/O (storing the file somewhere inside of getFilesDir()), or SharedPreferences.
Bear in mind, though, that your users may get rather frustrated if you blow away their data on an app update. Personally, I'd rather we find a better solution to your original problem ("I have found a bug in a specific sdk that causes it to fail on some Android phones after re-installing a new version of an app which uses the sdk").