I read this regarding how to extract code from apk.
I am really confused how does other app ensures security. I have a website. In that I have written all queries in PHP. So There is no way to get my queries unless they compromise my server.
In case of android app, I will have to write all the queries, connection details in Java. So when they can able to get code from APK, they can get my credentials. Isn't?
How does other app work? If I understood wrongly, please help me to understand.
So when they can able to get code from APK, they can get my credentials. Isn't?
Yes. If your app contains secrets and you distribute it to your customer, you customer has the secret.
Whilst you can obscure the secret using obfusctation tools like Proguard, his will be of limited effectiveness again all but the most casual attacker.
How does other app work?
Usually, the client-side app makes a connection to a front-end application on your server. The application server does its own identity management, connects to the database, and performs whatever limited range of operations the application allows for each user.
The application server is typically accessed using some kind of web services. You can re-use your PHP code here; the client app is then effectively just a convenient interface to making HTTP calls against your existing web site.
Android has a feature Pro guard. Pro guard convert all String and Const value into Obfuscated code. It also remove unused files. So by using pro guard, You will get two benefit. First You get your code security. Second, Apk size reduce to 25%.
Save your queries in res/string.xml file and use Proguard. Do not write queries in Java, just use the string in string.xml as query.
Related
I'm trying to find a way to make my Android app secure before releasing it. Currently I'm using https/ssl for server communication, with hidden password protected directories on the server that the app talks to. In those directories the app interfaces with PHP scripts that handle communication with the server data. My biggest vulnerability as I see it is the use of literal strings in the apk file to get access to the server password protected directories where the PHP scripts are. These literal strings could be detected by binary inspection or possibly attaching a debugger. What I've read so far is that it's not possible to obfuscate a literal string.
My question is, how can I prevent the discovery of the passwords to the hidden directories where the operating PHP scripts are? Alternately, what other approach should I be taking to keep server logins secure and reduce the chance of server attacks?
I think the best approach is to verify your app's signing certificate at run time. From that you don't need to hard-code any credentials in the app. currently Facebook SDK is using it. Please look at following.
https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app
https://developers.facebook.com/docs/android/getting-started
Perhaps it would make more sense to use encryption than to leave it unencrypted, you'd need to control how you deal with the Private key.
I want to make an app like McAfee Secure Container. The container app should launch other (specific) apps and provide them isolated execution environment. There should be no data sharing outside the container and all the apps inside container should use container's network connection.
What can be a way forward?
I know one solution that runs each app within it's own dalvik VM with a unique ID (uid ref linux) to protect all resources for that app. It makes use of the linux file permissions to protect these resources. The only way to get apps running with the same UID is to sign it with the same publisher key and declare this ID in the manifest. To get resources world readable you have to declare this explicitly when opening the resources within the app. Further more the apps can only access certain system resources if they declare that permission in the manifest. Think of IO operations and so on. These permissions will than be prompted to the user and install time.
... It's called Android :-)
Or in other words what more do you search for than what is already provided by the Android system? If you're looking for security I would say the Android system is pretty secure on its own. Some threats I can think of are listed next.
A possible threat is that the system itself (not the app) is compromised (rooted or so). Then all your app data will be exposed on that system. The solution for that is encrypting your data. Google for Android Derived Key for more information on how to get a key from a user password and use that key to encrypt sensitive data stored on a device. The main rule here is to only store sensitive data if you really have to and encrypt it if you do. Also make sure to use CBC mode instead of ECB mode and provide a salt and an IV.
Never ever think that your code is save. Not even if it is obfuscated. Obfuscation does not make it impossible to get the code in a readable format. It just makes it harder. So it's always a bad idea to keep sensitive data in your code.
Another possible threat I can think of is network traffic. Use SSL/TLS and verify hostnames. Limit credentials going over the network by using generated tokens for authentication. Encrypt data over the network, this time use a dynamic IV. Also validate input and be aware of SQL injection.
Short answer : you can achieve this with Dynamic Library loading.
Long answer please refer to this:
https://www.youtube.com/watch?v=siVS2jmPABM
I'm writing a ringtone gallery app which ringtones reside on a server and they can be downloaded by user.
What I want is to check and verify if the connection is really from my app not other apps or a HTTP request generator. for example I don't like someone write an app that uses my back end and show his ads in the app. It's like image leaching in web site which is prevented by checking the referrer.
It's not possible to insert a key in the app as android apps can be decompiled so easily. I thought of gaining the app signature and send it's hash as a key, but it's like any app can access other apps signature hash.
what about writing part of app which do the communication in native code? is it decompilable as easy as java code?
I really can't think of any other way and I don't like others use my resources for their benefit.
There are a couple of things you can do.
Create your own Certificate Authority, ship a certificate with your app and use two-way TLS authentication. This does not protect against decompilation and reverse-engineering but protects traffic en route.
Use the advice in this slide deck to detect modifications and debuggers.
Use Jelly Bean's hardware-backed secure storage.
At the end of the day, though, DRM is a lost battle. If the user has root access, all bets are off, with or without obfuscation (which native libraries are). The only question is how important is your data. For 90% of applications, running it through ProGuard makes it nearly impossible to untangle (especially if you use data flow obfuscation). Along with the certificate approach, that should suffice for most things.
Alternatively, try to change your model, so that you're authenticating the user and not the app - that's far simpler!
I have a website which supplies data to mobile app.
Is there a way to identify myApp vs a cloned App?
So that I can block access of any cloned App.
On first time APP usage, I generate an APP ID, PASS CODE & Access URL
Where I change the PASS CODE frequently, but how to identify myAPP on the first access so as to be sure that I am issuing APP ID & PASS CODE to my own APP only.
What sort of encryption I can use for the first time access?
You can have a hardcoded key on your app code that only your server knows. Use it to create a hash signature, like md5(concat(key, deviceId)). When the requests arrive to your application server, you can do the same and compare the results. The clonner can't discover this key by sniffing your app requests. The only way to get it is by disassembling it, but it's much harder.
This is a simple suggestion, though. If you want a more sofisticated solution, check for HMAC wiki.
It makes sense passing a token via Push to an application (GCM for Android). Using that code can uniquely identify application, and cloned application could not reach that code.
I have an application that needs to create a remote account if the user pays for an application using the Android Market.
How might I do this from the application itself in a secure way, ie. I don't want anyone to be able to submit data to a url and create an account, I want this to happen in a verified way. I thought of including an authentication key in the application itself, but that does not stop someone from decompiling the application and taking out the authorisation key.
Is there a way to query the Android Market payments using PHP?
http://code.google.com/p/android-market-api-php/
Don know if this might be of any help.
I found out how to do it. You need to write a custom java class based off the original Licensing System, in particular the the verify() method. You can then run the command using backquotes in php and grab stdout.
If you would like to use PHP rather than execute a Java process you may find this library on Google Code verifying Android Market licensing responses useful.
It just takes a few lines of PHP to verify a license and the formatting of keys and OpenSSL stuff is taken care of for you.