Android Question Hardening app security, verify signature?

techknight

Well-Known Member
Licensed User
Longtime User
I am thinking of ways to harden the final app/APK.

Is it possible to verify the App's signature/certificate during runtime? Basically a simple check to see if the APK had been decompiled or resigned? And also a check for the "Debuggable" flag that could be added in the manifest editor?

I know most of these events are futile in the hands of hackers, but it would make things a little bit harder.

Basically, I am trying to obfuscate the possibility of someone inserting malware into my APK or break the licensing system and recompile.
 
Sort by date Sort by votes

techknight

Well-Known Member
Licensed User
Longtime User
Tell that to Denuvo, the developers of the protection for Just Cause 3....

Anyways, your response didnt really help me at all.
 
Upvote 0

wonder

Expert
Licensed User
Longtime User
The ProBundle contains a guide which will point you in the right direction.

 
Upvote 0

techknight

Well-Known Member
Licensed User
Longtime User
Ill have to think about it. It appears its donationware, and no demo or sample on its usage, etc without paying for it.
 
Upvote 0

lemonisdead

Well-Known Member
Licensed User
Longtime User
techknight said:
no demo or sample on its usage, etc without paying for it.
Click to expand...
Right but the sheet about how to protect the app is detailed and really helps to understand what to do and how to do to protect the app.
 
Upvote 0

lemonisdead

Well-Known Member
Licensed User
Longtime User
Nope, that sheet is a 22 pages document and part of Informatix Pro Bundle, named "ProtectMyApp".
Informatix explains with various examples how hackers could see your code and how you can avoid that. I can not post samples because it is his propriety but it ends like that :
informatix said:
Now, our code is a nightmare for hackers. An experienced hacker will certainly succeed in defeating the protection, but “Good luck my friend"
Click to expand...
 
Upvote 0

Informatix

Expert
Licensed User
Longtime User
techknight said:
Ill have to think about it. It appears its donationware, and no demo or sample on its usage, etc without paying for it.
Click to expand...
If I expose publicly the method or give enough advices to reproduce it, then asking for a donation becomes pointless. My method is based on the signature but it's not just a check as it's easy to remove a check. It's more clever and more difficult to remove. This protection is probably the best available nowadays for Android. The critical parts of the code are in C (so you need also the libraries, not only the PDF guides). And if you want to see how strong the protection is, try to hack my game "Diktatour" available on Google Play.
The PDF give also tips about what to do and what to avoid, with the reason behind, because locking your door is useless if you open the windows.
 
Upvote 0

techknight

Well-Known Member
Licensed User
Longtime User
Well, I may just have to purchase it and try it out. See how it does. ;-)

Bascially I am creating a username/password/challenge key negotiation system for my app, and its useless if it can all be patched out of it.

Plus there needs to be a public key or something to decrypt the server data during the session, and the license file stored on the device for that particular app.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

  • Question
Android Question Fingerprint / Password required for installing app without scanning (Play Protect)
Replies
1
Views
379
John Naylor
J
  • Question
Android Question lost on app signature
Replies
7
Views
2K
Zeev Goldstein
M
  • Question
Android Question Verification code
Replies
1
Views
1K
nobbi59
R
  • Question
Android Question signatures do not match the previously installed version
Replies
11
Views
2K
rboeck
R
M
  • Question
Android Question App security, Encryption?
Replies
3
Views
922
mrawi
M
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…