Android Question Prevent hack url

Blue.Sky

Active Member
Licensed User
Longtime User
Hi
I'm using url for payment in my app
You know,hacker can decompile app and change address to self url
How can i prevent change it?
 

Blue.Sky

Active Member
Licensed User
Longtime User
How the payment is implemented?

I suppose you only need code server-side (PHP scripts, for example).
Yes your suppose is right
Assume i have a link (www.example.com/payment) in app
now when i click button,redirect webview to up link
Now i anybody change up link to other link,so it hacked
 
Upvote 0

techknight

Well-Known Member
Licensed User
Longtime User
Two things here.

1. If your worried about the hacker cracking the app so itll run as the full version, by simply changing the payment URL. Well thats not likely to happen because the hacker would have to analyze the code to figure out which parts need set or executed to allow the App to run in the full version mode. And by the time he figures that out, he wouldnt need to change or even use the URL anymore. it would be pointless. Then the hacking techniques get published to an app called lucky patcher. If its worth patching for someone. Also the google authentication/licensing/payment libraries most people use in their apps, are hacked badly. I mean so hacked to the point that lucky patcher can generate "licenses" for most apps that use them. Dont use them unless your forced to! Also when people use Ads on the free versions of the apps, they use again, public Ad libraries and servers. Again, hacked and patched!

2. If your worried about hackers changing the URL to phish/steal CC information from consumers, Again they would need to figure out how the app works and what types of input/output it expects so they dont "break" it with the phishing. But, Again, if your app is published in the Google Play store, the hacker cannot change and reupload the app with your signature or your account. Where are they going to publish a hacked app that a consumer could trust? So unless the consumer/user is a bumbling idiot and downloads the app from an untrusted 3rd party, its likely not going to happen in the traditional manner. Another thing you can do is implement SSL using your own keys. So unless the hacker has the private key, any URL/Server change will break the SSL trust chain, unless hes good enough to decompile the app and change the properties for the SSL.
 
Last edited:
Upvote 0

Informatix

Expert
Licensed User
Longtime User
unless hes good enough to decompile the app and change the properties for the SSL.
A hacker, even a newbie, should be able to do that. Changing something in a compiled APK is very easy and there are many sites on internet explaining how to do. Decompiling to Java is not even required... I explain the techniques really used by hackers in my guides.

I agree that people who download a copy on a dubious internet site and use it to send private info are naive, but that happens every day unfortunately. Here's an example: http://www.welivesecurity.com/2014/04/22/facebook-android-bank/
 
Upvote 0
Cookies are required to use this site. You must accept them to continue using the site. Learn more…