Android S/MIME development - android

I have searched from here to the ends of the earth and have still not figured out how this is possible.
I started with using the custom built javamail/gmail api because I wanted to send the email in the background without any interaction from the user.
I then tried to build ontop of that: crypto ( http://javamail-crypto.sourceforge.net/ ) coupled with bouncycastle ( https://www.bouncycastle.org/ ) to sign the email
Because these api's are so old, they clash a lot and every time I seem to fix one obscure error, I uncover another.
I have seen 1 or 2 apps on the market that provide S/MIME encryption and have emailed the creators but have not received a reply.

I've officially given up, its not a case of how old the API's are but a combination of the following two problems:
There is no java.awt package in Android, but a custom andrioid.awt one. I have tried editing the jar files belonging to bouncycastle to adapt to this but to no avail.
The api's seem to not correspond with each other at all. Every time I got close to signing the email and sending it, I would find a nosuchfieldexception or nosuchmethodexception at runtime where one api was looking for something in another api.
Eventually, I just gave up trying to do it for free and found a site called Chilkat who have a perfectly working API with a 30 day trial from the first time you run the code.
Their android api's are here: Chilkat for Android
The reason I'm putting this up is for anyone else who's gone through as much blood and sweat over this as I have to know that there is some hope, even if you have to pay for it...

Djigzo S/MIME Email encryption, from the author “Djigzo”
For Blackberry devices, download the app from: http://www.djigzo.com/bb.html

And of course it has to be free also? The APIs haven't changed because S/MIME hasn't changed. I think you'll also find the sockets API hasn't changed in eons because TCP hasn't changed. However, if you are willing to pay money, then you might consider IAIK, for example this IAIK toolkit.

Related

Send SCEP request from Android

I'm looking for a way to send SCEP requests from android devices. I found some incomplete code in this SO-question. Of course I could do all the work and boilerplate code myself, but I wonder if there's a more standard way to enroll android devices to our PKI. Googling around I found a lot of hits regarding jSCEP not being supported on android, but these hits are quite old and jSCEP does not seem to be a very active project.
So my question is: Do newer versions of android (marshmallow and upwards) support a standard way to create and send SCEP requests?
OK, after some trial & error I found out that it is possible to use jScep on Android following the instructions on the github site of jScep.
The only differences are the construction of the client where i had to exchange the ConsoleCertificateVerifier with OptimisticCertificateVerifier to make it work. As the scenario takes place in an enclosed environment this doesn't raise any security issues for our case.
The other changes were to run the request in it's own Thread and handle the result in a Handler to avoid blocking the device while requesting.
In the long run we may fork jScep as it seems to be not well maintained, but that's another cup of tea. :-)

Howto integrate static code analysis (SonarCube) into ship.io for mobile projects?

We have a setup where we want to use https://ship.io/ as our cloud-based continuous-integration server.
However we also want to have some kind of static code analysis (preferably SonarCube but that is debatable), which isn't supported officially by ship.io.
The Projects are classic mobile Projects (Android and iOS).
I have seen some posts of people mentioning that they managed to setup this kind of configuration. SonarCube just has released a gradle plugin http://www.sonarsource.com/2015/06/15/sonarqube-gradle-1-0-released/ so the Android part should be doable.
However at the moment i have no idea what would be the best way do do this for the iOS part of the project.
We already contacted the ship.io team on this issue but did not recieve a response yet.
Any suggestions/insights on this?
My name is Tim Rosenblatt and I'm one of the senior engineers here at Ship.io. I'm not sure why you didn't get a reply from our support email, and I'm glad you posted about this here.
As Viktor mentioned, we definitely support custom scripts. You absolutely can run whatever you like during your build process with this type of step.
I've got a few links that should be helpful for you in getting SonarCube added to your Ship job, but you can definitely get in touch with us if anything isn't clear enough for you. You can use the in-app support icon at the bottom right of your dashboard, or just email me personally -- tim at ship dot io
http://support.ship.io/environment/install-software
http://support.ship.io/environment/custom-shell-scripts
Thanks!
You should be able to write a script (bash, ruby, ...) which runs your static code analysis and then call that script on your own Mac or on any CI which supports running custom scripts. AFAIK ship.io does support this, our service (https://bitrise.io/ - CTO here) certainly does.

Android API versus Java API for Google+ Search

tl;dr: How do you do a Google+ keyword search using the com.google.android.gms library? Can you use the OAuth token, or do you need an API key? (Yes, I know that token is overkill for the application.)
I'm attempting to write an app that will search Google+ for a particular word, and then display results. I followed the Android-specific quickstart. That works fine, but it's only signing in...which maybe isn't even required. I don't care about user profiles or anything. I just want to search and show results. But whatever. It's working. Let's call that part A.
Part B is the actual search. I found another sample code for that, but it's for Java, not necessarily Android. Here's where the problem is. I'm getting a 403 when I try to search, and I could show you the results of that, but it's the same as you'll find all over - "Access Not Configured"...which I did configure. I spent a lot of time regenerating keys, and it seems like a dead end in a way.
But my question, that I'm finally getting to the point of, is about the two samples, and how they differ. Part A, which is Android specific, has a package of com.google.android.gms, but part B, which is plain Java, has a package of com.google.api. So, I can log in through the Android library and it works, but that package doesn't seem to include anything to allow searching, and the plain Java package gives me that access error, which is nonsense because I already have the OAuth token...in a seemingly incompatible API.
Why are there separate packages? Should I ditch the Android one completely? I'm considering ditching native Android code entirely and just using HTTP, which seems a lot simpler.

How should I code to resist "one-click piracy"?

The app I am working on is automatically cracked by antiLVL (although I am not using the LVL in my app).
In order of protecting my app from "one-click piracy", I am implementing tampering detection techniques explained at Google IO.
I have tried checking the signature both with getPackageInfo() and reflection (invoke()), but AntiLVL was able to crack the app automatically in both cases.
How can I write code that will not be automatically cracked by the current version of antiLVL (1.4.0)? I mean, apart from using JNI.
PS: I am not talking about preventing piracy in general. I just want the pirate to dig into the code by hand rather than using an automatic cracker.
The problem is, any API that only serves to check the validity of your application can be subverted and replaced with a version that always returns the result you expect. I haven't looked at Anti-LVL in detail, but I would imagine it is doing this, which is why your attempts to verify your code using Dalvik's built-in APIs for this purpose are failing.
In order to make it work, you'll have to do the work yourself, using only APIs that have multiple purposes and cannot be so easily subverted.
One way of doing it is to calculate a checksum of either your .apk file or just the classes.dex file inside it, and verify it against some external resource (online server with list of known correct versions, file downloaded to SD card on first execution, etc, resource in the .apk file that isn't included in classes.dex). This prevents code modification, which I believe is how anti-LVL works. I haven't tried this myself, but suspect it should work.
The Presentation Notes from Evading Pirates and Stopping Vampires
Some basic keypoints
Modify the LVL
Implement LVL Tamper Resistance
Use obfuscation
Add reflection
Please note, the #:r.page.X at the end of the links I've provided will not always bring you to that specific slide page number for whatever reason. If it doesn't, take note and browse manually.

Deprecated API Android and Iphone

I am making application which is using a deprecated API. I have to submit it on Apple and Android App Store next month.
In this case, is there any chances to reject the application from app Store of Iphone And Android.
Don't use a deprecated API. Almost nobody deprecates something without providing an alternate means to accomplish the same task. Use the documentation to discover these alternatives, and adjust your code accordingly. What happens if iOS 5 comes out tomorrow, for instance, and all of a sudden your code breaks on those devices. You'll be scrambling to fix it. Fix it now while you have some time.
Android should not be a problem due to the fact that they won't look at your code. Apple will probably check your code and if they see it, they will most likely tell you that you are using deprecated API, but I don't think they will reject it if it is working flawlessly with it.

Categories

Resources