I am new to Parse SDK. Is it safe to use Application ID and Client Key within the app? as reverse engineering the APK file might reveal the keys. Is there any other workaround to pull them in the Parse.initialize() function.
Like everything else contained in your APK it is only safe if you obfuscate your code. Make sure that you are using ProGaurd when you build your application and have configured it for gradle if you use Android Studio.
If you use ProGuard to obfuscate your code then you wont have to worry about people being able to unpack your APK and retrieve your Parse credentials.
If you want to test that your ProGaurd configuration is correct you can try and unpack your own APK to make sure everything is obfuscated and hidden as expected. This question will show you the process.
This is something that I have always asked myself. In addition to this you could also use a random keygen to connect to random parse database if you were trying to hack data. I tried to find the SO.com post about this but was unable to do so, regardless, I saw someone post that they had their key strings stored in AWS so that they werent in the APK package. In my opinion you shouldn't have to do this but whatever... Parse is pretty sweet when you cut back on development time and their online data portal is nice as well.
Related
I have signed my APK now but if I open it up I can still see many things like websites I connect to, Stuff that is written in the APP etc. Is there anything that I should be aware of? On one hand this is needed to run the app, but is there any sensetive data included?
proguard doesn't obfuscate strings. Dexguard does, but you'll have to pay for it.
I have an existing released Android app in google play. But some hacker extract source code from apk and use our services.I have already implement proguard + Base64 but even through hacker extract source code from apk. How can i prevent my apk from extraction?
Cant prevent extraction.
Can do proguard but a good attacker it wont stop, because he can
decompile your and reverse engineer it. Then he can listen to your
LogCat, Binder, sniff communication...
On the other hand u can do a lot of stuff to make your code better.
Use SSL learn how to use proguard better so it ill be harder for
them, dont write anything to log, encrypt data.
I have downloaded an Android App source code from GitHub and converted into an apk file.
Looks like the Developer has used parse backed to store and retrieve data.
Is there a way where those DB authentication details are located so that I can replace with those keys with my keys and use my authentication details.?
Well, according to Parse, the keys are passed to Parse.initialize().
A search of the project shows that the developer, for whatever reason, calls Parse.initialize() in several places. You would have to ask the developer why that is the case.
And, in general, committing keys like this to a public place, like a GitHub repo, is not a particularly good idea. Perhaps it's not a huge issue for Parse — I am not a Parse user, so I do not know the rules regarding their keys.
Looking to improved the security of my Android app to flag if the .apk has been extracted, modified, repacked and resigned. Here's article from Zdnet noting the issue link1.
The concern is if the app is targeted by hackers they could add malicious code and upload to an alternate app store and dupe users in to downloading it.
So I'm thinking code to verify a checksum of the apk or signing certificate?
I appreciate the app code could be repacked and any security code removed, but it does increase the difficulty of repacking it, maybe enough for them to try another app.
[update]I know the Google Play store licensing module offers something similar but I'm looking for something for non paid apps and other/non marketplaces.
I ended up using Dexguard (paid obfuscator for Android). It offers a module that preforms apk verification. It is simple to implement and offers better than average protection.
Here's the code to do the check:
dexguard.util.TamperDetection.checkApk(context)
The main issue is where to store the checksum of the apk to verify against given that it could to be replaced. The dexguard way is to check it locally but using other features like class/string encryption and api hiding obscure this call.
Here are some of the articles that could help you out.
Retrieving APK signature during runtime.
Self checking an APK signature.
How to check APK signature.
Use the Google licensing service It will connect with the play store to make sure the user purchased the app every few days. (you can set the amount) Also loook at ProGuard. It strips all the class, method, and variable names out of your code making it really hard to understand once its decompiled.
The apps we write will soon be enhanced by downloadable "packages" using the in-app purchase API. We would like therefore to start securing our content which we wish to allow the users to download/extract onto their memory card (so as to not use up internal memory for our large applications), however, we need to secure the files somehow so that they can't simply be taken from the SD.
Can anyone suggest some possible/simple/common techniques used to do so on Android?
You'll want to look into ProGuard, it's pretty well integrated with ADT. An easy way to get a good ProGuard config file is to create a new Android project in Eclipse, as the newer versions of ADT automatically make one for you. It is used when you right click the project and use Android Tools>Export
I'd think you'd probably want to generate a hash based on some unique device identifier and a strong key of your choosing. A unique identifier for the device can be generated using the technique discussed in this answer. Have the App transmit that hash to your server, and encrypt the package before (or as) it is sent to the user using this hash as a key. Your app will decrypt the data as it is read by generating the key on demand (the same way it was initially generated). Have a look at the MessageDigest class and the javax.crypto package in the API.