I have an Android app and I'm saving highscores simply in Shared Preferences. On a rooted device, you can just edit the XML and modify the score. Because in next update I'm planning to add Google Play Leaderboards, I need to store them safely. Now, I'm just saving it and a salted hash of it. But there's one problem: It is possible to decompile it using decompileandroid.com easily and read the way how I'm salting it and reproduce the process afterwards.
I want to be able to sync highscores which were made offline. It's really simple app that is definitely supposed to be played in a bus or train.
Since the customer is in control of the device, and the game is played offline, it will always be tamperable. There is no storage on the device that root cannot access, and there is no way to fully obfuscate client side code so that the user can't reverse engineer it. Your options are to 1) change your design and require closer server-side integration to detect cheating, or 2) to attempt to make it more difficult by obfuscating the APK, and putting in bypassable protections like you have suggested with the integrity checking hash.
You can use internal storage. The details are in the oficial android developer site: http://developer.android.com/training/articles/security-tips.html
I hope it helps.
Related
Long story:
My clients want to let a third-party company test my App.
Because I have never heard about this company before, I want to make my App not copyable/data-accessible, in case they try to copy my program or do strange stuff.
In few words, I give them a smartphone with the App already installed and usable, but that's it, they can't do anything more than test it normally like a casual user. Or a way to ask them a password if they try to access to sensible data.
Is there a way to do it?
Short story: I need to make my App not copyable and its data inaccessible from others.
I hope my explantion was exhaustive :)
Thank you all!
A determined hacker will defeat any sort of copy protection you put in place. But what you can do is put enough barriers in place to make their return on investment not worth the time and effort.
Without investing too heavy in security components or investing in a trusted security platform, here are some dirt simple things you can put do in a special one-off build of your app.
Tie this particular build of your app to something specific to the phone you are sharing with them. If the phone's serial number doesn't match, it doesn't work. See this on getting a serial number of an Android device.
If there are data files beyond the program's compiled code that you are trying to protect that is plaintext or not in a custom binary format, simply encrypt it. Decrypt at runtime. Perhaps the password/key is based on the serial number of the device or other nonce unique to the phone. That way, they can't copy data and program to another phone and have it work.
Put a timebomb in place. That is, after a specific date, the app just doesn't work.
On startup, your app accesses a website and downloads a URL. Based on the contents of the URL, the app shuts off.
All of these mechanisms can be defeated by someone that really wants to copy your app or get at your files. But it's sufficient to ward off the casual hacker and to buy time while your app is relevant.
Use licensing options provided by Play Store and Tools like Proguard can make it difficult
You can try StarForce Android Protection that prevents hacking and copying. They offer a month for free. It can be enough for testing. Or just ask for prolongation of trial period if you need.
I'm developing the first app I would like to release on the play store, and I can't seem to figure out what would be the best way to store data.
User's will input a lot of numbers, which will be used to create different type of graphs. For that reason I need to be sure the data will never be lost, even if they use a new/different Android device. At first I was thinking about a database, but I'm still not sure if my app will be popular enough for me to host a database and spend cash, so I figured it wasn't the best option. Plus, it would require users to create an account.
After some thought I thought I could give the user's the option to either not create an account (but might lose their data in the long run) or create an account but I would still need to maintain a database.
Someone told me they hate creating accounts and said I could just use the Google Drive API for Android. I was looking at the doc and looking at some examples but it is a bit confusing. I would like to read/write/update a sheet, but I can't even seem to find examples on how to do that. There would also be Dropbox.
What would be the best option, in my case, to store data?
I think what suits you best would be Google's Cloud Save, I've never used it but it sounds like it will suit you best!
I'd go with Google Drive. I use it on my app. You have no cost, and almost every Android user has a Google Drive account. Keep looking and you will find good tutorials about it.
Or you could use also Parse. Very easy to work with. And free until a certain usage limit. www.parse.com
I need to increase the security of my android app. Actually my android app. will not be for Google play Store (which provides some licensing options to protect your app.) it will be used for some local companies that used the same app (Desktop app). However, I want to support two versions for my app. which are:
Demo version: for testing aims (after the given period end, the app will stopped!)
Actual version: this if the user want to pay for the app.
What I need:
To increase the security of my app. from installing it another time or on another device for the same user!
For my code I used ProGuard which is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. cause there are many reverse-engineering application that used for unpacking the compiled code and viewing the source code (actually I tried some of them and its really amazing to restore the sourse code from .apk!) ..
I think to use the MAC address of each device the app. installed on and then store it into internal database and generate a number form it (in somehow), then ask user enters it (which I the one who knows this number and provider for it) if it is true, the app run else not. But, it's just idea I do not know how this can happen or even from where I can start or even also if that will help!
I tried also SharedPreferences But this does not help!
Actually I do not need for external database on server to read the username or the password for eligible users for app. I need to do that by my app. itself!
In sum please,
How can I protect my app from installing many times for same user or continuing using after testing period ends, etc. (I mean make it more secure)!
any ideas, any suggestions, any useful examples or sites are also desirable.
Sorry for this long question,
The apps we write will soon be enhanced by downloadable "packages" using the in-app purchase API. We would like therefore to start securing our content which we wish to allow the users to download/extract onto their memory card (so as to not use up internal memory for our large applications), however, we need to secure the files somehow so that they can't simply be taken from the SD.
Can anyone suggest some possible/simple/common techniques used to do so on Android?
You'll want to look into ProGuard, it's pretty well integrated with ADT. An easy way to get a good ProGuard config file is to create a new Android project in Eclipse, as the newer versions of ADT automatically make one for you. It is used when you right click the project and use Android Tools>Export
I'd think you'd probably want to generate a hash based on some unique device identifier and a strong key of your choosing. A unique identifier for the device can be generated using the technique discussed in this answer. Have the App transmit that hash to your server, and encrypt the package before (or as) it is sent to the user using this hash as a key. Your app will decrypt the data as it is read by generating the key on demand (the same way it was initially generated). Have a look at the MessageDigest class and the javax.crypto package in the API.
I was wondering what the most effective way of preventing people from stealing my application (downloading a copy of the .apk online rather than buying it).
I've spent a lot of time on one in particular (Droidbox) and won't be releasing Sync until I can guarantee that the people who are providing illegal copies of the pro version aren't able to.
Anyone implemented this? I've tried checking my package signature verses an the signature of an unsigned copy but it appears to be the same - perhaps I'm doing something incorrectly here. I'm unsure whether people actually distribute the signed .apk in which case I don't think signature validation would work to begin with...
Please note, this question is specific to Android Marketplace Applications - the difference being, application delivery is out of my hands and I have no way of linking between a legitimate purchase and an illegal download.
Now there is the new Google App Licensing available. For deeper information read about it in the android developer blog.
A short summary: Google provides a library that makes a inter process call to the market client on the phone. The market client will then ask the google servers if the signed in user has purchased the app and forward this answer to you. There should be a public key in you developer profile that you need to encrypt the connection to the google server to prevent spoofing of answers. You also provide a application and device unique id with the query to make it impossible to forward approved queries to another device and build something like an licensing proxy with one bought copy forwarding the IS LICENSED answers to other devices.
At the moment this service looks secure enough to protect even the more valuable apps in the market. I will give it a try and maybe come back and leave some more informations after I used it a little bit.
If your app is really popular like an EA game or something this wan't stop users from hacking it. To hack the app somebody has to buy it, then unzip the apk, and edit the bytecode of your app to think that the market send a correct answer. The new byte code can be packed into another apk and can be installed on every phone that allows side loading.
To make this harder you can always try to obfuscate your apk and make your bytecode hard to understand.
There is a single, useful connection between an application buyer and the developer through the marketplace, the forwarding email address provided by google to contact the buyer.
Utilizing the integration callback setting to send buy information to your own server, you can use PHP to send a unique identifier (registration code) to the buy via email (real time as the callback is shipped from google during a purchase. The user then uses this email to register their software using the unique identifier that is then linked to their android ID (or google account username) and the software is "activated" and guaranteed to be legitimate.
Obvious Questions
Why is this a suitable solution when it requires the user to read email? Our market are those people who are capable of buying an application using an android device. By using an android device, it is implied that the user has a google account which implies they know how to use email.
How do I use the email with the unique identifier with my application? Create a content handler in your application that handles something like "myactivator://uniqueid-or-something" which causes your application to communicate to your internal server that keeps tabs on activations. Embed this as a link in the email that the user can click on.
How should I generate the unique identifer? I'm going to use the email somehow - I'm fairly confident google has already made it unique enough to disallow any feasible method of contact information selling.
What about people who have already purchased the software? A lot of options here - none ideal or terrible.
Send emails to all previous buyers
Allow users to activate by typing in their order number (can be obtained by logging into checkout.google.com.
Why bother?
Because some of us put a lot of time into applications and saying "you should just accept pirating" is a slap in the face.
The people that are lax enough to use pirated copies of your application to access their DropBox are probably using their DropBox for piracy anyway. Forget those people. Let them go. Yes, it's a huge number of people I bet, but let's face it, those people were never going to pay you anything anyway. Focus on the parts that you can control, and forget the rest.
Focus on the Android users that use DropBox for their work, for their businesses, for their own code, for their finance, for their thesis, and/or for their private family pictures. 95% of those people, that have something of value in their DropBox, and that want it kept private, are going to want to buy your application (assuming it's good enough for them).
Let me use this analogy:
When it comes to hiring a locksmith to put a lock on your home, do you hire the guy that looks the part and takes $150 an hour, or do you hire the shady guy that is willing to sell you a stolen lock to put on your front door?
Release your own illegal copy in the best known forums and have it disable itself after a week and showing a message like
Thanks for stealing... I make my living with programming this app. The x Dollar won't hurt you and I could by my next meal and go on making great updates for you.
I think this is the only thing that you can do about it. People will always find a way to copy your app and all countermeasures will only disturb the users that paid for the app.
The people copying your app aren't your customers and they never will be. Just see their use of the program as a kind of viral marketing. At least they are talking about your app and maybe some of their friends will then buy the app.
General shareware advice here - license the software to the individual. i.e. provide a license key that is personalized to their username. They'll be much less likely to distribute a key if it's got their name on it. You can probably automate the backend fulfillment of the order, to provide custom keys. Have your "Pro" version operate in trial mode until the name/key are entered.
Don't leave your computers so that someone can steal your applications from there.
Or wait.. Did you meant you don't want others to copy your software? Then.. not publishing it in the first place is likely your best option.
A bit related link: http://news.cnet.com/8301-27076_3-20003120-248.html
You neither have any mechanism to estimate amount of illegally copied software. Enjoy your attempts from stopping the rain even though entities bigger than you have attempted and failed.
There is a new tool in the wild that seems to good to be true:
Automatic Application Licensing from Keyes Lab.
I haven't tried it yet but if this works it sound like something you want to use in your high priced android apps.
If anybody tested it leave a comment or edit my answer with personal feedback.
I have the same issue. I recently found a number of my paid apps available for free download on this site: https://dlandroid.com/
I asked them to remove my app APKs, but I'm sure there are many other similar sites. Presumably they have a rooted phone which gets one valid copy of the app from Google Play, then uploads it onto their web site to distribute to all and sundry for free.
You could spend endless amounts of time ensuring that there are no pirated copies of your apps on the web, or implementing complex piracy protection measures, which would most likely make things less convenient for your genuine paid users. But I guess in the end, you have to be prepared to make a trade-off and accept that a certain level of loss is inevitable, and hope that most people are honest and get your app through the proper channels rather than risk malware infection by going to dodgy sites like this.