Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <ol> <li>I don't know.</li> <li>Yes, it seems to be replacing an <code>fbconnect://</code> Uri with <code>http://</code> meaning there is no encryption for connections using this code.</li> <li>I guess yes, try it to verify that.</li> <li>It is no problem to change that, you can decompile apks change some code and compile them back if you want. The only thing that you can't do then is to sign the apk again (you lack the secret key required for that). Or you can use the signature in your own code.<br> The signature check for your app happens at installation time and during that permissions you request in your manifest are removed if your signature does not match the requirements. If you update your apk the signature of the new apk is checked against the old existing apk and the upgrade will fail if signatures don't match. But you can deinstall the old one and install your fake one.<br> If you send and Intent from your app the system probably includes the package of the sender and you have no access to change that.</li> </ol> <p>And the whole point of verification to the server is not ultimately a security thing since there is no bulletproof way to authenticate an app. It is used to make it harder for others to abuse the API and it is used to track who is using the api.</p> <p>An authentication mechanism requires that there is some sort of secret key inside your apk. But since you ship that apk to potentially evil customers you have no more control over it and it is possible to extract the key and abuse it. All you can do is to obfuscate the key so it is harder to get it. But it is ultimately not possible.</p> <hr> <p>So let's assume you have an app out there that communicates with your backend server and I download your app to my device. I can then get the <code>.apk</code> off my device, decompile it and find how the communication with your server works - the plaintext before https is ever created. I can also see what the signature of your app is, that is stored in an xml file on the device and in the apk as well. Then I go an either modify your app or create a new one that uses the information to behave exactly as yours would do with the exception that it is not your app. It's no problem to use https and I can also send you your expected signature.</p> <p>You can't prevent that from happening. You can only make it hard to do that.</p>
    singulars
    1. This table or related slice is empty.
    1. POAndroid facebook-sdk signature security
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USzapl
    1. USzapl
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POAndroid facebook-sdk signature security
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COHi Zapl, this is not true; you cannot fetch the signature of the original app from a decompiled version of that app. The signature is fetched through a method within the Android system which in turn refers to the signature created with the developer key. As users who decompile don't have this key, they cannot sign the app in such a way it would return the original signature.
      singulars
      1. PO
      1. USWill Kru
    2. COIf I can't get it through decompilation then your app can't send it - the device has no way to get to the private key that was used to create the signature so it can't send you that. Unzip a signed apk file and look into `META-INF` there is the key that you will send to your server.
      singulars
      1. PO
      1. USzapl
    3. COThere's 3 files in the META-INF folder, which seem to define SHA1-Digest hashes for each asset. Where would I find the application signature?
      singulars
      1. PO
      1. USWill Kru
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload