I think her point is that the checksum is verified during install, so if you can access the checksum there's no real need to re-verify it. (I didn't see that she said HOW to access the checksum, though.)
But of course if a pirate can find the code where you fetch the checksum and patch in his own hard-coded value then he can circumvent this. A little more robust would be to access the public key used in the certificate that installed the app (again, not sure how this would be done) and then use that public key to sign communications with the server. The pirate would have to crack a more complex algorithm, but again, once he figured out where to patch he could just patch the public key into the pirated code. On Sep 20, 9:12 am, gcstang <gcst...@gmail.com> wrote: > How can this be done from the clients device? > > I mean is there an API that I can use to test it or is this done > automatically? > > On Sep 19, 7:24 pm, Dianne Hackborn <hack...@android.com> wrote: > > > I don't think this will gain you any more than just checking whether the app > > is signed with your own cert. In order to modify an app, the pirate will > > need to re-sign it with their own cert and since they don't have your > > private key they can't sign it with yours. (Note that cert checking is done > > by comparing SHA hashes anyway.) > > > On Sun, Sep 19, 2010 at 3:07 PM, Bret Foreman <bret.fore...@gmail.com>wrote: > > > > As an additional anti-pirating strategy, I'd like to compute a > > > checksum on my application at runtime. Since my app communicates with > > > a back-end server, I can send the checksum with each message and the > > > server can deny service to altered apps. Not a complete solution to > > > piracy by any means, but a fairly easy way to raise the bar. > > > > Anyone know how an app can get access to it's load image at runtime? > > > > -- > > > You received this message because you are subscribed to the Google > > > Groups "Android Developers" group. > > > To post to this group, send email to android-developers@googlegroups.com > > > To unsubscribe from this group, send email to > > > android-developers+unsubscr...@googlegroups.com<android-developers%2bunsubscr...@googlegroups.com> > > > For more options, visit this group at > > >http://groups.google.com/group/android-developers?hl=en > > > -- > > Dianne Hackborn > > Android framework engineer > > hack...@android.com > > > Note: please don't send private questions to me, as I don't have time to > > provide private support, and so won't reply to such e-mails. All such > > questions should be posted on public forums, where I and others can see and > > answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
