I have an application that needs to create a remote account if the user pays for an application using the Android Market.
How might I do this from the application itself in a secure way, ie. I don't want anyone to be able to submit data to a url and create an account, I want this to happen in a verified way. I thought of including an authentication key in the application itself, but that does not stop someone from decompiling the application and taking out the authorisation key.
Is there a way to query the Android Market payments using PHP?
http://code.google.com/p/android-market-api-php/
Don know if this might be of any help.
I found out how to do it. You need to write a custom java class based off the original Licensing System, in particular the the verify() method. You can then run the command using backquotes in php and grab stdout.
If you would like to use PHP rather than execute a Java process you may find this library on Google Code verifying Android Market licensing responses useful.
It just takes a few lines of PHP to verify a license and the formatting of keys and OpenSSL stuff is taken care of for you.
Related
My app is having a few post API's. Unfortunately, there is no authorization required for that API.
How can I prevent API from being hacked by methods like HTTPCanary and decompiling of the app.
I have tried these things but still, people are able to get the API.
Base URL is encrypted and stored in gradle.properties file
User won't be able to use the app if HTTPCanary is installed (validation added in onResume of all activities) but not sure if the user uses any other apps like HTTPCanary.
Please help me with a failproof solution for this.
use https for your server and being sure that you using "ssl pinning"
you can find more about it in this blog post
We are developing Native Mobile Application : Android platform, Ios Platform (Swift).
Instead of asking user to download and install https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_IN mobile app and then generate a QR code in our application to be scanned by this app, we are willing to do it api way. Means We want to call Google Authenticator API pass it QR image, secret and user is registered
Is this Ok and possible. Any one using it please suggest.
I'm not going to say that this is impossible, but integrating Google Authenticator would be a nightmare, and likely wouldn't do what you're expecting it to do. Allow me to explain.
Problem #1
For each instance of the app, you'll have to have a Unique Identifier to pair it to Google's Authenticator. In other words, you'll need to generate a new QR code for each device, pass that off to the system (Which doesn't exist without the app.) to pair the application. This is going to require a "Log-In" to properly store.
Check out this for a possible work-around to Problem #1: https://authenticatorapi.com/
Problem #2
If you're already logging in and the device is already being authenticated, what purpose does the Google Authenticator provide? Well, I'm assuming it allows you to prevent unauthorized access, possibly prevent more than one device. There are infinitely easier ways to manage this, location services are the first one that comes to mind for me.
Possible Solution (iOS)
This is absolutely my go-to method for handling authentication. Encourage or require your users to use 2FA (Two Factor Authentication) attached to SMS messaging. A simple line of code such as this will grab an SMS one-time code.
// Available as of iOS 12, make sure to check version.
self.verifyCodeTextField.textContentType = .oneTimeCode
Android SMS Retrieval
Android Auto-SMS-Retrieval https://developers.google.com/identity/sms-retriever/overview
I don't know it all, most certainly, but I hope this opens the floor for some discussion and brings forth a solution or explanation to your question.
Research Material
Google Authenticator available as a public service?
java API for google Authenticator
I read this regarding how to extract code from apk.
I am really confused how does other app ensures security. I have a website. In that I have written all queries in PHP. So There is no way to get my queries unless they compromise my server.
In case of android app, I will have to write all the queries, connection details in Java. So when they can able to get code from APK, they can get my credentials. Isn't?
How does other app work? If I understood wrongly, please help me to understand.
So when they can able to get code from APK, they can get my credentials. Isn't?
Yes. If your app contains secrets and you distribute it to your customer, you customer has the secret.
Whilst you can obscure the secret using obfusctation tools like Proguard, his will be of limited effectiveness again all but the most casual attacker.
How does other app work?
Usually, the client-side app makes a connection to a front-end application on your server. The application server does its own identity management, connects to the database, and performs whatever limited range of operations the application allows for each user.
The application server is typically accessed using some kind of web services. You can re-use your PHP code here; the client app is then effectively just a convenient interface to making HTTP calls against your existing web site.
Android has a feature Pro guard. Pro guard convert all String and Const value into Obfuscated code. It also remove unused files. So by using pro guard, You will get two benefit. First You get your code security. Second, Apk size reduce to 25%.
Save your queries in res/string.xml file and use Proguard. Do not write queries in Java, just use the string in string.xml as query.
I have a website which supplies data to mobile app.
Is there a way to identify myApp vs a cloned App?
So that I can block access of any cloned App.
On first time APP usage, I generate an APP ID, PASS CODE & Access URL
Where I change the PASS CODE frequently, but how to identify myAPP on the first access so as to be sure that I am issuing APP ID & PASS CODE to my own APP only.
What sort of encryption I can use for the first time access?
You can have a hardcoded key on your app code that only your server knows. Use it to create a hash signature, like md5(concat(key, deviceId)). When the requests arrive to your application server, you can do the same and compare the results. The clonner can't discover this key by sniffing your app requests. The only way to get it is by disassembling it, but it's much harder.
This is a simple suggestion, though. If you want a more sofisticated solution, check for HMAC wiki.
It makes sense passing a token via Push to an application (GCM for Android). Using that code can uniquely identify application, and cloned application could not reach that code.
I want to develop an android app for my website. One way of doing it is to have an API for the site, and let the app use that API. However i want this API to be used ONLY by my android app, I don't want any other client to be using this API.
Is there a way to ensure this?
I can think of one way of doing it: put a secret in the app and let the app pass this secret always to the API. But i am not sure how secure this approach would be because any packet sniffer can easily sniff the parameters and hence the secret. Any other suggestions?
I think this is something similar to a question I answered a few days ago.
Securing a REST API from Android
Namely, find a way to authenticate all of your requests using a shared secret.
If you sign both the path and params with a secret, then there should be no way for someone to forge requests.
Finally got hold of the answer from the android developer's blog article.
The short answer is no, sorry. If someone really wants to exploit your site/api/device/program/insert anything here and they have the time and resources then they will.
To directly answer your question, putting a key in your app isn't secure as anyone can decompile the app and try to reconstruct the key from the source files, they don't need to sniff traffic.
Correct me if I'm wrong! Packet sniffers can only be used with unencrypted WiFi and in (now) rare network configurations (a router or a switch prevent them).
For serious matters, you should consider secured connections (https).
That said, for standard content, I feel that a passphrase is secure enough. Many popular web apps don't use more than a cookie over http to let you log in, which is exactly what you're proposing.
I struggled with this issue and I actually ended up implementing a version of OAuth for securing my API. It can be difficult if you don't to launch a browser to do the "login" part of OAuth. I baked the login right into my my app and actually implemented the token exchanges under the covers. Too much involved to post the code here, but it works great. Obviously HTTPS is desired for an additional level of security.
If you could get some kind of signature back from package manager of your own app, you could use obfuscation to hopefully make it much more difficult, and have the signature/hash of signature from package manager be the key for your HMAC-SHA1.
Might have to try this ( How to get APK signing signature? )
If you did that, it would make it more difficult to use. Obviously, it could still be decompiled, but if they re-compiled it w/ debugging etc, it would have the wrong key. They would then have to actually make their own package manager on a rooted device to get the signature.