i need to know how can i secure my app to make a close beta?
i want to send my app to some people so that they can test it. but i dont want them to share the .apk with other people and just use it some days. so i need to implement some kind of trial/beta mode.
i need something, that the app e.g. only runs 7 days or so. how to do this?
There are a few ways to ensure security:
Get a server, and have a server side authentication based on a unique device ID, like an IMEI or MAC address. Any device which does not belong to your testers will not be listed on your server, and you can stop the app from running.
If possible, have each person come to you and install the apk yourself, instead of mailing it to them
Create a trial system. Store the date on which the person first accessed your app from the device, and stop letting him use it n days later. If you store this on a server along with the unique ID, it'll be safer, as if it is stored in the shared preferences or something, the user could get around it by clearing the data or uninstalling and reinstalling the app.
Obfuscate your code using a tool like ProGuard. This will add an extra layer of security incase someone decompiles your app
Note that these are only a few suggestions, and none of them are 100% secure. AFAIK, there is no way to ensure 100% security, short having having the devices locked in a lead room, and letting in the testers one at a time. And there is a way to get around that too, I bet.
Use hockeyapp, there's nothing easier to distribute your app to a closed group of people.
Related
I'm going to release an android app shortly on the Google Playstore. I am aware that most apps probably don't reach the level of success where the authors need to worry about their app being cloned, but I would still have greater peace of mind if I knew that I had done what I can to stop other people copying it/stealing users by creating an identical knock-off.
I suspect that it's unproductive to try to protect the app itself (?) but my app communicates quite a lot with a backend server and I'm wondering if there are ways to detect if I am getting traffic from my app or a copy? Is there any value I can get the app to send that could tell me, or some technique I could use to differentiate my app from copies?
Thank you
Read the below article at developer.android.com.It provides details on how to obfuscate your app.
https://developer.android.com/studio/build/shrink-code#obfuscate
I'm trying to understand how applications are storing data without the use of a login system. Example, an android app starts you with 500 coins and you use some of them. You have not logged in at all and you delete the 'app data' in settings and uninstall and reinstall. The app still knows you only have 450 coins left for example. The app requires internet connection so I'm assuming they are storing the info on their server. If so, how are they uniquely identifying your device? In my reading so far it seems there is no full-proof way to uniquely identify a device every time.
I'm asking because I'm going to be working on an app where I don't want to require a login but I also don't want the player to simply reinstall and get to start over. So, my question is how does everyone handle this situation to work for both iOS and android?
Google offers Firebase, which is used for notifications, but makes use of a unique identifier for an application instance on a device (both on iOS and Android), they could be using this.
There are some more providers that offer a similar service (for example OneSignal).
Reference: https://firebase.google.com/
I'm building a react native application where I am hard-coding credentials into the application. This is why I was wondering whether there are any security implications between communication with native modules and/or the ability the reverse engineer the application. If so, what are some preventative measures I can take to still have access to those credentials and have them locally. Please let me know if you can think of any other implications react-native has in terms of security.
Thanks!
I have a small answer for part of your question that I learned when working with penetration testers on an enterprise app that I created. When you hardcode a string literal it is very easy to pull out of your app. So in order to obfuscate that a little bit one suggestion I got was to append multiple strings together to get your encryption password. So when the hacker pulls the strings out of your app he doesn't know which ones go together and in what order to get the correct password.
And if you wanted to go a little further, he suggested that I use [SomeBuiltInClass class] in the password string as well so that even if a hacker pulls all of the string literals out of my app, no combination of any of them will get to the correct password.
[NSString stringWithFormat:#"%#%#%#",[NSString class],#"SomeIntermediateSomething",[NSData class]];
But even if you do all of this and the hacker has your application in a jailbroken device he can still see all calls and all parameters that your app pushes around, so they can still get the credentials if you pass them in any method or function. So pulling the password exactly when you want to use it is key as well. They can also run any method or function in your app with any data they wish, so they can get a password the same way you do if they know which functions to call.
I'm sure there are others out there who know much more than I, but those are some things that I have done in the past.
First rule - never store credentials in a mobile app. Bottom Line. Think this has been mentioned but worth repeating, see
https://security.stackexchange.com/questions/20294/how-should-an-application-store-its-credentials
The problem:
In one of my Android apps, users should be allowed to make changes to text data on my server (via HTTP request) without being required to login or sign up.
In order to prevent spam and abuse of this function, I would like to identify a single installation of my app so that I can "ban" this installation. Of course, the user who is abusing my service could uninstall the app and download it again or something like that. But this is truly an obstacle and makes abusing the app more difficult.
So I have to find a way to identify an Android device or at least a single installation.
As one can read here or here the physical device ID of an Android phone is not a good solution. So what else could I do to achieve this?
My idea:
When the app is started for the first time, create an (almost) unique hash (maybe SHA-512) of the current timestamp and a huge random number. Then save this value on internal storage and always use it to identify this device or installation later (on HTTP requests).
What do you think of that solution? Are there any better approaches?
This is almost what the Android Developers Blog suggest, right? But are they really writing to the internal storage? They don't use openFileOutput() as suggested here.
And, at last, a question that is probably a bit stupid:
How can I use the code shown on the Android Developers Blog? Can I add that public class to my main activity .java file?
Thank you very much in advance! :)
In my current Android project, I use the Bluetooth mac id as the identifier because of what I read about the physical device ID not being reliable. Of course, my app is very specialized and REQUIRES bluetooth AND internet anyway, so this works.
Specifically I have a way of calling my web server from the phone, passing in the Bluetooth mac ID. I can check license status (for trials/expirations), where you might check against a ban method to see if that id is banned.
Since my application requires bluetooth, this worked perfectly for me since [mostly] all bluetooth mac id's should be unique.
Just an idea.
I'm looking for suggestions for ways to share Android app data between phones running the same app. For example, lets say I have an app that stores a database of book reviews. If person A has a book review that person B doesn't have, what are the options for getting that information from person A's phone to person B's phone?
Currently, I'm aware of the following options:
- Upload data from person A's phone to a server, then download data from server to Person B's phone.
- Write code to have the phones sync up using bluetooth
- Write code to send SMS messages
I'm wondering if there are any more options besides these, and if there's actually a best-practice for accomplishing this?
Ideally, I want the users to simply click a button in the app to make the sharing take place, so I don't want to go down the bluetooth route because that requires the user to do a bit of setup (or assumes they already have set things up in the form of bluetooth settings).
Since the data can be of variable length and potentially large, I believe that would rule out text messaging.
As far as the server route goes, from what I understand this seems to be an ok way of doing things, but my problem is that I have no experience with having users potentially sign in to a server and then uploading data. I don't know of the cost concerns (if any), or of potential security concerns (allowing just anyone to upload data, I'm not sure if I would have to take steps to ensure someone couldn't bypass the app and upload malicious data).
So, can you guys give me suggestions and point me in the right direction? Thanks.
I'm wondering if there are any more options besides these
You could try generating a QR code and scanning it on the other phone. Beyond that, I think you have it mostly covered.
and if there's actually a best-practice for accomplishing this?
That is impossible to answer in the abstract.
Keep the database server side and interface with it via a web service
I too am looking for a solution to this very problem. I'll throw it out there that a fourth, or rather extension of your first option, is to use the Cloud to Device Messaging Framework, though it still requires (as best I can tell) having your own server, though I suppose you wouldn't need to store the database server-side longer than it takes to send the message, provided you keep it under 1024b (or whatever the actual size is).
I don't believe there is a convenient way to monitor/send email in the background. If I could have my app monitor email messages looking for a key subject, then parsing the body, I could probably accomplish what I'm looking for using email as the transport.
The problem with maintaining a server, is that you probably would need to build in a subscription fee to your app to cover the costs of maintaining a server, as one time sales may not be able to cover the ongoing expense.