One could simply patch out the communication with the server and have whatever function is doing the check just always return true/ok/whatever. Since your public key is indeed public, and they already have your signed app and the ability to pull the signature, this would be pretty simple to bypass.
On Thu, Nov 14, 2013 at 9:55 AM, Andrea Carlevato < [email protected]> wrote: > Hello, > > i am trying to understand if the following can be considered a valid > strategy to mitigate the risk of my (free) app to get hacked. > > I am considering to read my developer public key via: > PackageInfo info = pm.getPackageInfo( "xxx.xxx.xxx.xxx", > PackageManager.GET_SIGNATURES ); > > I would then send via https the retrieved public key to my server, which > will then decide (and enable or not some online features) if the app is > genuine or not, by checking if that is indeed my public key. > > Can anybody give me a feedback on this approach ? > Is it true that is not possible to change the dalvik code (for example > putting a line to log my public key) without having to re-sign the apk with > a different key ? > > Thanks > Andrea > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
