Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>I'll describe how you can effectively protect against modification and repackaging, not how you can protect the assets on their own, although you could ultimately apply the same technique to encrypting them. It's imperfect, but you can make modification significantly more difficult.</p> <p>You sign the application with a certificate. Although they can <em>remove</em> yours, noone else can produce the same certificate when putting it back together. You can therefore check the signature of the application at runtime, to make sure it's what you expect.</p> <p>Here's some cheap and nasty code to do this:</p> <pre><code> PackageManager pm = context.getPackageManager(); PackageInfo info = pm.getPackageInfo( context.getPackageName(), PackageManager.GET_SIGNATURES ); if ( info.signatures[ 0 ].toCharsString().equals( YOUR_SIGNATURE ) ) { //signature is OK } </code></pre> <p>where YOUR_SIGNATURE is a constant, obtained from running this code on the signed app.</p> <p>Now, there are two remaining problems that you have already hinted at:</p> <ol> <li><p>how can you stop someone just modifying the constant in the source code to match their certificate, then repackaging and re-signing the app?</p></li> <li><p>how can you stop someone finding the check method and removing it?</p></li> </ol> <p>Answer to both: you can't, not absolutely, but you can do a pretty good job through obfuscation. The free Proguard, but more usefully the commercial Dexguard, are tools for doing this. You may baulk at the current €350 cost of the latter; on the other hand, I have tried to reverse engineer apps that are protected like this, and unless the stakes were <em>very</em> high, it isn't worth the trouble.</p> <p>To an extent, you could also do the obfuscation for (1) yourself; have the signature 'constant' assembled at runtime through some complicated programmatic method that makes it difficult to find and replace.</p> <p>(2) is really a software design issue; making it sufficiently complicated or annoying to remove the check. Obfuscation just makes it more difficult to find in the first place.</p> <p>As a further note, you might want to look at whether stuff like <a href="http://developer.android.com/google/play/licensing/index.html">Google Licensing</a> gives you any protection in this area. I don't have any experience of it though, so you're on your own there.</p>
    singulars
    1. This table or related slice is empty.
    1. POCheck Android Assets Integrity
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USRob Pridham
    1. USRob Pridham
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POCheck Android Assets Integrity
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COWhatever you do, NEVER put your signing key in your code! This would allow someone with a will to unpack your apk, and repackage it with your same signing key.
      singulars
      1. PO
      1. USPhil
    2. COPlease re-read the code. It's NOT the signing key, it's the signature of it. If it were possible to obtain the signing key from the certificate, we would all have bigger problems. I have edited the answer's wording for clarity.
      singulars
      1. PO
      1. USRob Pridham
    3. COGotcha. I un-downvoted. Could allowing a hacker to view the signature (in the event they went through all the obfuscated code) be beneficial to resign, or republish the app?
      singulars
      1. PO
      1. USPhil
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload