All geek questions in one place

Is it possible to remotely host a resource used in an Android application in such a way that it can only be used by my application?

Basically, what I'm trying to achieve is placing a CSV file, which will be extracted and used by my application as a data source to populate some tables. The CSV will be updated with the latest data, and I assume that every so often the application will receive the latest version to ensure that the data in it is updated.

My question is, can I guarantee that this remote CSV resource is used only by my application?

Presumably, if I just made the plan URL at the location of the CSV, it could be sniffed, and the path used by others. I don’t see how I can restrict access to it, because users can use the application from almost any connection.

If I use some kind of encryption in the file, can the decryption key be decrypted if someone decompiled the java apk file?

Are there other approaches to ensure that my csv data source is only used by my application?

thanks

(I use CSV because the data is not very complex and does not require a database, I got a little acquainted with the approach of the database App-> webservice-> to this problem when using a database)

+6
source share
5 answers

The question you ask should be this: how much can I make crackers live? if you distribute your application through the game store, look at this question , even if it is different from the topic, the answers and links are valuable.

I assume that your application is not free (since CSV seems valuable), so take a closer look at the licensing verification library and this blogpost , especially. details Technique: check the license for uploading to a trusted server; and Technique: make your application immune to interference .

in short, and as I understand it, the way you go is as follows:

  • Upload your apk to Google using the RSA public key.
  • implement the LVL request inside your application (without encryption and without a private key inside the application package! **
  • redirects the lvl response to your server with the message through a secure SSL connection.
  • on your trusted server, using your RSA private key, you should check the things mentioned in the blogpost, especially. put the requested user IDs in the database and count the requests from one UID, if it is much higher than average, you can assume that this user ID is the one used for invalid requests.
  • don't answer if something goes wrong with the check
  • If everything is ok, answer your csv. just save your data on the android client if you want the user to use csv without connecting, otherwise any root device or hacked apk could access and redistribute csv - it is better: just click on the requested parts (for example, strings) of csv to the user

see this question and try replaying again and how to prevent it so that no one plays the call that csv or its parts provided (e.g. serial numbers in the UID).

obfuscate your code as well as possible to make the work even harder, as @VinceFR already mentioned.

there are still some attacks, such as these two:

  • root and check the saved csv, but do not redistribute - that’s why you don’t want to store your csv on the client
  • reverse engineering your application, write down, hopefully, the full csv package that they received and use, probably remove the LVL code to use your application for free - so you still have to confuse and send only the requested details.

even checksums using PackageManager , signature apk, etc. pp will not do this 100%.

but in fact, until the client first loads csv (or any other data), your data will be saved. it even saves while you can trust your users (for example, a limited circle of users of trust for an internal application or something else, then you should choose the androids vpn options to access the file). after that, it’s just a matter of time and effort to insert a hack into your application and get valuable csv - and the question is whether someone should invest in this time.

sitelink containing additional information and links to LVL from Justin Case .

read all these links well and remember: to do it is difficult enough to make it invaluable, cannot stop those crackers who take value from success - I mean, crack some kind of “crack”. The software is more valuable, even without getting money or anything else, for some people.

PS: see this answer to another question for “hacked” software - but even a website and its data can be constantly duplicated if it costs it.

+13
source

In addition to all the other answers, there’s an Android developer blog entry called “Checking Callbacks from Android Applications,” which should also be interesting to you, just in case you haven’t met it yet.

+5
source

No, It is Immpossible.

As you expected, your application can always be the opposite to show how to get the resource.

+3
source

If you use home-made encryption (based on known types of encryption), other applications can read your CSV file, but your application will be the only one who hides it. To increase the complexity of reverse-engineering your encryption code, you can create an encrypter that mixes Java and C (use JNI ), and, of course, remember to use proguard or another obfuscator.

+2
source

As already mentioned, if your application can achieve data, then with some effort, third parties can achieve this.

However, a low-tech solution can simply set up an HTTP referrer on your application and test it on your server.

It will only store lazy unauthorized users, but for some use cases, the return / effort ratio can be quite good.

+1
source

Source: https://habr.com/ru/post/949830/

More articles:


All Articles