Android Question String value corrupted on installation

[nwhitfield]

In one of my apps, we use a mechanism a bit like a pound shop version of Oauth, to allow people to grant the app access to their account on the website.

The app opens a URL, passing a parameter that identifies the device, and another that identifies the app; the user then logs in, grants permission, and the app uses an API to retrieve a token that's used in future.

This works well, except someone has just come to me with a problem using it on a device with Android 4.2.2.

After ages looking at the logs, I determined that his installation is sending the wrong string to identify the app.

The app's key is set up like this

Dim authKey As String="XXXXXXXXXX1af236bcfe01fcfd606f5eXXXXXXXX"

When the user wants to authorise, I initialise a webview called webAuth, and then call this code

webAuth.LoadUrl(BLUF.authURL & "?auth=" & BLUF.authKey & "&token=" & BLUFtools.GetDeviceId)

This has all worked fine, until this one device. After looking at logs, I finally spotted that one character was changed in the authKey, so in the middle instead of "606f5e" this device is sending "60615e"

I've rebuilt the APK and sent a zipped copy to the user; still the same result. Installing on my test device, all works fine, and the string is unchanged.

Has anyone seen anything like this before? I have a suspicion something similar is also happening with another string in the app, also a 40 char hash, but I've not verified that yet as it's POSTed, so a pain to capture.

I've used the search tool in the API to verify that there's no code anywhere that alters the value of authKey, in any of the modules. It simply ends up with one character changed, on this one device

 

[DonManfred]

I dont see any reason why a string should change when compiling it!?
Can you repreoduce it in a small example app?

 

[nwhitfield]

Nor do I; and it doesn't appear to be during compilation, as the apk is just fine when it's installed on my device. It's just when it's installed on this other person's that it doesn't work - so it's extremely hard to know how I could reproduce it, really. I'm wondering if he has some av tool or something like that on his phone that's messing it up when he installs

 

[DonManfred]

It's just when it's installed on this other person's that it doesn't work - so it's extremely hard to know how I could reproduce it, really

the string is not generated dynamically in your app? Maybe reading some fields from a file and build the string or so?

that's messing it up when he installs

The AV soft need to change data inside a compressed APK (a zip).
I can´t imagine this could be the reason here

 

[nwhitfield]

Nope, the string's declared at the top of a module, and never altered anywhere else in the code. I'll try putting it in a text file in the assets and loading it from there at startup. It's effectively an api key. There are a few others declared elsewhere in the app for things like FourSquare and similar services. I wonder if, once I get the one for signin working, I'll find his device has screwed up the others.

Must admit, since it's a device with 4.2.2, and only this one user who's ever had a problem, I'm very tempted to say "Sorry, mate, not supported"

 

[Cableguy]

Since this only happens with this 4.2.2 phone, (I take that you have more 4.2.2 that show no signs of this) then there must be some app screwing things up

 

[nwhitfield]

Yes, there must be something on this phone; I'll have to check my logs to see if anyone else is using 4.2.2, but I've done a couple of things:

1. Added a long click function to a button to display the current value of the string.
2. Added a menu function to load the value from a conf file.

Both before and after loading from the conf file, the correct value of the string is shown.

But in both cases, when it's used to create the URL for the webview, that one character is rewritten, making the whole process fail. Absolutely mystifying; if the user was nearby, I'd try to grab their phone to experiment in person, but they're in Japan and I'm in London, so it's a bit tedious.

My closest hunch is that something, somewhere, between the app on his phone and my web server is rewriting the query string.

 

[Cableguy]

can it be that the user has some kind of usage restriction, being it on the phone or on the service carrier?

 

[OliverA]

Could it be related to the language setup on the phone? Language setup and string manipulation can cause weird issues at times.