On Wed, Sep 14, 2011 at 12:56 AM, androidmediadeveloper <kamathaj...@gmail.com> wrote: > We are integrating with market to provide inapp billing on our app. > The implementation guide says for additional security, we can use a > server to do the key verification process. This is so we dont bake the > apk with the public key I suppose. > > Having a server side presence for us for right now is overkill. So, > outside of the proguard obfuscation (which we are doing), are there > any recommended security techniques that we can incorporate to make > the apk tighter ? >
If you don't need to authenticate people who bought an item using IAB, and let them download additional contents, a server might be overkill. You can split the key and scramble it somehow so it's not an obvious string resource if you are worried about people replacing it. However, if someone wants to crack your app, they are far more likely to modify the bytecode to bypass any checking routines you have, rather than trying to replace the key and fool signature checking. The Google IO 'Evading Pirates and Stopping Vampires' presentation has some tips on further obfuscation and integrity checking. It boils down to: use native code and server-side code. You decide how far you need to go. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en