I have an app on android. I use facebook keys,twitterkeys on my strings.xml file.
I use proguard. But when a man which want to see real code, decompile myapp , yes it is complex because I use proguard. But my strings value is seen. Is it a securty problem. I want to hide them or how can I encrypt them.
thanks
As far as I know only possible way how to achieve your goal is to physically check every user. It could be some kind of form which user has to fill with some personal data so term "physically" is maybe not the best choice here. I guess you could do that semi automatically.
Other methods are just slowing down the reverse engineer and making his life harder.
If you have the controll over your users (for example if your app is for some company employees only), you can control people who download the app by providing password secured download site and provide that password only to company employees by mail or some other way.
But after all - every secure user can be the bad guy who provide apk to some reverse engineer, so you will be never 100% safe, until .apk format change in some way.
create one encrypted file with your text data and store in assets & read it from assets by decrypting it , is one of the better solution
Related
i want to build a dictionary in C++ and qt and later for android,which will have a word and meaning.the easy option is to use sqlite or mysql like DBMS but i dont want to use them as sqlite is not secure(anyone can open that sqlite database to copy my word-meaning pair) and mysql needs a large installer file to be deployed along with installer.is there any way in which i can store my word-meaning pair in program?or can i store that word-meaning pain in a string array?there are 120000 words and almost 360000 meaning so if i make a string string word_meaning[360000][2]? will it be a problem to load the program?
or using a password protected zip?is it a viable solution?
kindly recommend any other secure and better method
regards
Like MSalters says, there is no way to make it guaranteed unbreakable, but you can make it pretty hard. And if you make it hard enough to break your security so that it is not worth the effort then you are secure enough.
You have a trade off between programming complexity and security.
The most secure that I can think of is putting the database on your own server and have your app query the server. That way no hacker has access to your database. But perhaps you also have a need for high performance when looking through the dictionary or you don't want your game to need internet.
The next thing I can think of is to place an encrypted text file with the word-meanings in your app's assets directory. Your app will contain the key to decrypt the text file and a hacker would need to decompile your app and find the key before he can decrypt the file to steal your dictionary.
Hope this helps.
I'm working on an application that it took me about 2 whole month to collect data.
how can I protect my database and files? because of a big size of database, I zipped it (with password) and put it in asset folder. I can unzip it.
2 questions:
where I can extract it that no one can access it even though they have a rooted device ?
after extracting my database from zipfile ,I want to copy it to my application database . is there anyway users can access the database ?
Depends on how smart an attacker you're expecting. If you're expecting the average user, don't worry about it- just put it in your data directory, they'd have to root the phone to see it. From a power user you can encrypt the files. From a determined hacker that won't work- he'll decompile the apk and find the key. You can pass the key from a website, but a good hacker will run it under a debugger and find the key in memory. The best way to secure most of the data would be not to have it in the app but only download what you need via webservice as you need it, but that will cost money and time.
As I know there is no way to hide your files from user sight. they can access your resources sometimes so easy. but you should encrypt your data.
You can use SQLCipher library to protect your data. see http://sqlcipher.net/
Although it has some overhead but you can distribute your data in a safe way.
Hope it can help you
It encrypts the SQLLite database at page level, ok thats fine, nothing wrong with that!
but what about your source code? its compiled, but even if its compiled someone could decompile it, retrieve your password and decrypt the database?
How safe is SQLCipher?
According to the SQLCipher design documentation, it is based on secure components (AES, OpenSSL, HMAC_SHA1, PBKDF2,...). If those claims are correct, it sounds good to me.
What is a bit unusual (to me, at least) is that there is a random IV per page. This is somewhat different to the typical file system encryption mode AES-XTS. The design used by SQLCipher has certain advantages over AES-XTS, for example writing the same data again will not result in the same encrypted page. However, possibly there are disadvantages, for example I'm not quite sure if with SQLCipher it is possible to move or copy pages (copy encrypted pages to another page). It might not be possible, however from the design document I don't see how this is prevented. Such is the risk if a non-standard encryption mode is used :-) But even if this is a problem, it wouldn't allow an attacker to read the data; it would only allow certain types of attacks. Even with AES-XTS certain types of attacks are possible, so I wouldn't be worried too much.
What about your source code?
To keep things save, don't store the password in the code. Instead, let the user enter the password, or store it in a key-chain. This is possible for both Android and iOS as far as I see, but I don't know the details.
I have an android application that helps users to read some books , it is in pdf format.When users choose a book from a list , that book just downloaded from the server and users can read it.
I want to prevent users from copying the pdfs from the app. is it possible?
Help is highly appreciable
Thanks,
As soon as you decypher the pdfs on the device, it means the device owner has the code to decrypt pdf files. A good and motivated hacker will always be able to find that code and decypher the books. There is no solution against that.
Nevertheless, piracy and anti-piracy is some kind of nuclear weapon race, so do you best to make things more difficult for hackers, use several custom encryption schemes for instance. Also you can consider using KeyChain to store your decyphering keys : http://nelenkov.blogspot.fr/2012/05/storing-application-secrets-in-androids.html
But still, a good hacker with time would find a way. Also, if you are looking for some legal answer more than a technical one, your licence should explicitly prevent people from decyphering the files.
Simple method is you can convert it into a byte array, encode it base 64, and store it in shared preference as a string. when the user opens it, you can decode and display
It will be illegal from the case of copyright. you can do it using free books or pdfs.
I'm currently developing an Android game which saves data into a SQLite database. This is not really "sensitive" data, but I don't want users to be able to modify it (for obvious reasons of game balance, as it would be cheating). And it's quite easy to access and modify a SQLite db when your phone is rooted (there are plenty of applications for that in the market).
So should I even worry about that, or consider users with a rooted phone can do whatever they want including cheating and that's their choice? Or could I somehow encrypt the data I don't want them to modify, or add a MD5 checksum or something similar?
Another approach would be to abandon SQLite altogether and use some kind of binary files with game data.
Please let me know if some of you already encountered similar issues, and what are the approaches you followed, as well as the "good practices" in the Android gaming development community.
Thanks.
Root access for everybody and security are mutually exclusive.
Any application or user with root permissions can read and modify each and every file on your system, as well as all of the main memory. That doesn't leave many places to store a potential encryption key for the database.
You could hide parts of the key in the executables, configuration files etc, but everything you could come up with would be nothing more than obfuscation and security by obscurity.
If a user opts to grant root access to everybody, that's their decision, and it's not your job as an app developer to prevent any harm that might be caused.
Update:
Storing API keys in Android, is obfustication enough? is a pretty similar issue - it's about protecting API keys, but it's the same situation with regards to your options.
sqlcipher for Android might help here.
https://guardianproject.info/code/sqlcipher/
I think based on your requirement the best method is using consistency of data,
for example MD5 the score and time, then put score and time and MD5 in to the table, then every time wanting to use that row of DB check the MD5 of the score and time if the one in DB and the one which calculated are same, the row is consistent otherwise it was hacked!
You may find your happiness on Preferences Files Look here