(I have to confess that I don't understand why Android allows self-
signed apps anyway. If apps had to be signed by a traceable
certificate it would be a lot easier to control piracy.)
On Sep 20, 11:18 am, Bret Foreman wrote:
> This is why I want to do the checksum at runtime. If the pirate
> pa
But if the pirate patches the code he can't install it with the same
checksum, since the phone will cry foul when the app is loaded and the
checksums don't match. Now certainly he could patch out the code that
fetches the checksum, but he could do the same with code that
calculates the checksum dy
Really a waste of time here. Spend your time making good features, and
you will get good customers. Don't risk screwing a real customer over
when something goes wrong in your "protection"
-niko
On Sep 20, 11:18 am, Bret Foreman wrote:
> This is why I want to do the checksum at runtime. If the pi
This is why I want to do the checksum at runtime. If the pirate
patches the code, the checksum won't match any more. I'm trying to
detect an altered apk.
On Sep 20, 8:51 am, DanH wrote:
> The pirate would have to crack a more complex algorithm, but
> again, once he figured out where to patch he c
I think her point is that the checksum is verified during install, so
if you can access the checksum there's no real need to re-verify it.
(I didn't see that she said HOW to access the checksum, though.)
But of course if a pirate can find the code where you fetch the
checksum and patch in his own
How can this be done from the clients device?
I mean is there an API that I can use to test it or is this done
automatically?
On Sep 19, 7:24 pm, Dianne Hackborn wrote:
> I don't think this will gain you any more than just checking whether the app
> is signed with your own cert. In order to mod
What I'm doing in one of my apps is computing the md5sum of the APK on
the device. I check that against known md5's on my webserver. The
result is cached, and the server check is done only once in a while.
I've been testing this for a couple weeks on one of my less popular
apps. Seems to work ok
The market licensing server's response has to be timestamped and
digitally signed already, or it would be useless (people could just
root phones and hack the routing tables to point at an imposter
licensing server, probably running locally on the phone)
Bret Foreman wrote:
> Not a bad idea, but a
Not a bad idea, but a hacker could see the server's response come over
the network and would probably detect me resending part of that
response to my server. But an encrypted version of the license server
response would work.
> use market licensing and have the app forward the
> license server's r
Sure, if they could reverse engineer the program logic then they could
generate the correct checksum...but that's not so easy. Since the
checking logic is on the server side, they won't even know what part
of the code is causing the non-response. Anything that raises the
reverse-engineering bar is
You can usually read non forward locked apk's out of /data/app if you
know what their exact path names should be, even though you can't
browse. However, I'm not sure that will always be bit for bit the
same as what you distribute (for example I forgot to zipalign
something the other day, and logca
I wonder if there's a way to access the application's signature.
On Sep 19, 5:07 pm, Bret Foreman wrote:
> As an additional anti-pirating strategy, I'd like to compute a
> checksum on my application at runtime. Since my app communicates with
> a back-end server, I can send the checksum with each
I would love your solution to work, but surely any pirate will be able
to calculate exactly the same checksum.
If they have access to your apk, they have access to the key or
algorithm you are using.
On Sep 20, 8:07 am, Bret Foreman wrote:
> As an additional anti-pirating strategy, I'd like to co
13 matches
Mail list logo
