[android-developers] Extending or replacing existing Android Appa

2009-11-15 Thread android kracker
I copied the Launcher source code from the master (Git) Android source
and created an Eclipse Android 1.6 project using existing code.
Several Java problems exist relating to fields that can not be
resolved. For example: Workspace.java and several other classes have
"mScrollX cannot be resolved" problems. mScrollX is a field in the
View class and Workspace extends ViewGroup, which extends View. Also,
the View class is imported.

Question 1: Why is this not resolved?

Upon examining the contents of the SDK 1.6 android.jar, I see the
implementation of View in the android.jar is nothing like the master
Git Android source code for View. All of the View methods in the SDK
1.6 version of View only contain a "throw new RuntimeException
( "Stub!" )" statement.

Question 2: What's happening here?

Question 3: How do I pull app source code from the master Git and pull
it into Eclipse to either extend it, refactor it, of derive a new app
from it?

Thanks.

-- 
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en


[android-developers] Re: Securing a paid app

2009-11-15 Thread android kracker
Using the unique ID (hash) of the phone, register it with your web
service on install.
Then employ PKI to authenticate your app on each launch.
On your web service sign a string containing the hash, timestamp, and
a short expiration timestamp.
Then have your app use your public key (in the app) to authenticate
the string, verify the timestamps, and complete
the launch if valid, otherwise abort the launch or offer the user to
come clean and install.
To prevent code modification--bypassing the check--don't include all
of the code in the app.
Keep some of it on the server and only send it to the app if the check
takes place and passes the check.
This way the app will not function correctly unless the check is
performed and passes.
Create a set of one-off methods (dummys that just pass through) that
you can dynamically use with each app instance; since you
are in control of the download (unlike Market publishers), you can
dynamically build and package a unique app for each instance
downloaded.
This way no two apps use the same method and a hacker is up a creek as
far a patching the code
and replicating it to the community. When one instance is cracked, and
it will be, then your server can cancel that hacked instance
without effecting all of the other valid users. This will create a
string disincentive, because no two app are the same, codewise ;-)

Maybe we should start a service and offer Android publishers a secure
distribution service, unlike the Market.
There is no way to register (stamp an app with a phone id) downloads
from the Market prior to installation.
As it stands now publishers have no way to verify if their app was
downloaded from the Market or copied and installed by other means.

If there is I would like to know. I've asked but I never get replies
regarding this advanced topic. Most publishers are still learning to
just create apps, let alone seek out secure distribution and customer
behavior--only Google enjoys this privilege, currently.

Here's a method snippet for getting the unique ID and hashing it:

String getPhoneID(){
MessageDigest digest;
try {
digest = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("this should never happen");
}

String srvcName = Context.TELEPHONY_SERVICE;
TelephonyManager telephonyManager =
  (TelephonyManager)getSystemService(srvcName);

/* requires READ_PHONE_STATE permission */
String deviceId = telephonyManager.getDeviceId();
if (TextUtils.isEmpty(deviceId)) {
return "";
}

byte[] hashedDeviceId = digest.digest(deviceId.getBytes());
String id = new String(Base64.encodeBase64(hashedDeviceId), 0,
12);
id = id.replaceAll("/", "_");
return id;
}



On Nov 14, 7:12 am, jax  wrote:
> I am wondering how I might go about securing a paid app on Android.
>
> I am thinking of selling the application from my own website via
> PayPal, however, how will I stop people from sharing it with their
> friends etc.  Does Android have any type of native support for this?

-- 
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en


[android-developers] SDK contents re: com.android.vending

2009-10-28 Thread android kracker

Where is the source tree for the package: com.android.vending...?

Also, is there a link explaining why this is not in the public source
tree available via Git? Is it, only because of the dev phones? Doesn't
stop rooted phones or eventual reversing. If it is not available to
developers, but only phone manufacturers, why is it in the open source
package com.android and not in com.google.android instead, because it
is not open source? Please correct me, if I’m misguided.

Why I ask and my diatribe:

I've installed the Android source code via Git and have successfully
executed make. As a developer, I want to totally understand the
vending code, the Market interface, and the client-side operation of
the Market app. I want to understand the limitations and
vulnerabilities surrounding app publishing and how to secure
applications from being pirated (I may even want to create a new
Market app.)  Yea, I know it’s a pipe dream, but at least, I can try
to limit pirating to only the most determined and brightest pirates.

I need to find a way to automatically link a downloaded app to a
phone, and possibly a customer. I want to be able to employ a callback
design and auto-register an app upon download, creating a unique app
instance per phone. If the app is pulled and installed into another
phone then the app will not function correctly, because it is not on
the correct phone. Possible? Sure it is. I just need to determine
where the Market fits into this story and design for or around it.

It would be nice if the Market had a callback feature for vendors to
employ, so vendors could serialize there apps and generate a license
key incorporating the phone's serial number.

Problem is there is no way to stop a hacker from getting your app and
cracking it. They don’t even need a phone to access the market,
because the emulator can be engineered to access the market and
download apps. And if not the emulator then a rooted phone can
introspect and capture all I/O and traces of market interfacing too.

This means vendors should use the market as a proxy to the real app
and force the user to download missing code which requires the phones
serial number to unlock the app, which has dynamically generated code
embedded that only runs on that phone. There are several ways to
accomplish this.




--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
-~--~~~~--~~--~--~---