In one of my apps, we use a mechanism a bit like a pound shop version of Oauth, to allow people to grant the app access to their account on the website.
The app opens a URL, passing a parameter that identifies the device, and another that identifies the app; the user then logs in, grants permission, and the app uses an API to retrieve a token that's used in future.
This works well, except someone has just come to me with a problem using it on a device with Android 4.2.2.
After ages looking at the logs, I determined that his installation is sending the wrong string to identify the app.
The app's key is set up like this
Dim authKey As String="XXXXXXXXXX1af236bcfe01fcfd606f5eXXXXXXXX"
When the user wants to authorise, I initialise a webview called webAuth, and then call this code
webAuth.LoadUrl(BLUF.authURL & "?auth=" & BLUF.authKey & "&token=" & BLUFtools.GetDeviceId)
This has all worked fine, until this one device. After looking at logs, I finally spotted that one character was changed in the authKey, so in the middle instead of "606f5e" this device is sending "60615e"
I've rebuilt the APK and sent a zipped copy to the user; still the same result. Installing on my test device, all works fine, and the string is unchanged.
Has anyone seen anything like this before? I have a suspicion something similar is also happening with another string in the app, also a 40 char hash, but I've not verified that yet as it's POSTed, so a pain to capture.
I've used the search tool in the API to verify that there's no code anywhere that alters the value of authKey, in any of the modules. It simply ends up with one character changed, on this one device