> In my implementation, the danger is not that the hacker will use my > key to sign the apk after modifying it (not possible), but that the > hacker will debug the post variables being sent to the server and copy > the key, then hard code the string into the api call, do his other > modifications, sign it with his key, and poof, my anti-piracy measures > are broken.
Well, you're partly right, but more wrong than right. The first/ biggest danger, as you suggest, is that the hacker will crack your code and hard-code values in the program you're using to detect impostors. But the hacker could also take your APK, modify it without changing the signature, and then spoof the checksum so that it still appears to be validly signed by you. This is a bit harder to do, but much worse, in that the hacker is using your identity to possibly do very nefarious things. If the checksum used in the APK is not cryptographically strong then this is a possibility. On Oct 8, 1:38 am, JonFHancock <jonfhanc...@gmail.com> wrote: > In my implementation, the danger is not that the hacker will use my > key to sign the apk after modifying it (not possible), but that the > hacker will debug the post variables being sent to the server and copy > the key, then hard code the string into the api call, do his other > modifications, sign it with his key, and poof, my anti-piracy measures > are broken. > > However, I also log a the CRC32 of the current app with each api > call. If I see a particular CRC32 that I know I didn't sign, I can > block its api access selectively. > > Since I already require users to stay up to date within 2 versions, I > have fairly good knowledge of what legitimate CRC32s are out there. > > On Oct 8, 2:01 am, Dianne Hackborn <hack...@android.com> wrote: > > > On Thu, Oct 7, 2010 at 6:22 PM, DanH <danhi...@ieee.org> wrote: > > > So what is protecting the application from forgery? > > > What do you mean? This is the cert it is signed with. Do you have some way > > to force the cert? > > > -- > > Dianne Hackborn > > Android framework engineer > > hack...@android.com > > > Note: please don't send private questions to me, as I don't have time to > > provide private support, and so won't reply to such e-mails. All such > > questions should be posted on public forums, where I and others can see and > > answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
