I need to store some passwords inside an android app. I have no way around since this particular app cannot do authentication with a remote server.
I was looking at this decompiler:
http://www.javadecompilers.com/apk
yet, I have a simple question that I see different answers online. Is it possible for a hacker to root my client's device, get the application (I assume the apk is inside the device somewhere), run a decompiler and look up the passwords?
Note that this a production app and will be signed and installed through the google store. This is not just an unsigned apk floating around.
thanks.
Yes someone could take your passwords. Signing your apk won't make a difference.
You can secure your passwords by storing hashes in the APK. Then even if someone decompiles your code and takes the hashes there's nothing they can do with them since they still won't have the plain text to send to the app.
If all you need to do is control access to your signed app then that should be good enough. Though it doesn't prevent an attacker from decompiling your signed apk, modifying it, and recompiling it into an unsigned one. There's no reliable way to stop this, like there is no way to stop video game piracy. But techniques like obfuscation can help.
Related
I have this app of mine that is distributed on the Mac App Store and outside it, from my own site.
I need to detect, at run time, what version is running, so I can do some decisions inside the code.
Is there a way to detect that? How can I differentiate that? Is there a way to know if the app is signed for the App Store or not?
Edit: I have found this library but this is not good because it tells the app is not from the app store simply if the receipt is missing. But the receipt may be missing for other reasons. The lack of receipt is not a good enough reason.
I see two ways to do this:
Make a compile-time flag. Compile it one way for submission to the App Store, the other way for distribution outside the App Store.
Rather than just checking your app's code signature validity (as the library you found does), call SecCodeCopySigningInformation to get signature details, and look at the kSecCodeInfoCertificates array to see whether it includes your Developer ID cert or the "Apple Mac OS Application Signing" cert used by the App Store.
IMO the second option is significantly more complex and fragile; for example, if Apple changes how they sign App Store apps, your code may break. I'd go with the first option.
I have a little problem and I am wondering if this is possible. I have just finished updating an app with push notification for a client. I don't have a hold of the server side so I tested the push by modifying the app id and just make it as my own temporarily, created the necessary certificates and provisioning profiles and then tested it using PushMeBaby app. All works fine without problems.
And now, the client wants to publish it and he gave me the distribution certificate and provisioning profile for distribution. I am not a member of his team but I somehow find a way to build it using the command line.
Now comes my problem, I wanted to test it first on my device to check if the push notification works. The server is already setup since it is already existing in the store. I know for sure that the push will work, but somehow I really feel the need to test it first on my device. I tried to request him to use testflight for testing but he said he doesn't know how to do it. I tried to present myself to do it but he doesn't allow it because the original developer made some anomalies with his account, so as much as possible, he won't give it to me saying there must be other way to test it myself.
And so I asked, is there any way to test it with just the distribution certificate and provisioning profile provided? If not, what would be the best alternative to do it, considering having the client do a very minimal and easy stuff on his side, if any.
Hoping for someone to actually give a hand or a hint.
Thanks in advance.
I have made a simple desktop app that I want to sell through the AppStore. Of course I want to be protected against piracy. Does AppStore give any protection? How does that process work?
For instance, what prevents a dishonest person from buying my app and then upload it on a torrent and share it with others. If these other people download my app, will they automatically be asked for their identity check (Apple ID and password), the first time they try to use my app, thus preventing them from using it if they have not bought it legally.
If this identity check does not happen automatically, then do I need to add some code in my app that will ask for the identity check. If so, where can I find info about how to do that?
I'm not entirely sure how this process works. Could somebody shed some light on it?
Mac App Store slips a receipt each time it is downloaded into the bundle. The receipt contains information about the computer used (the so called GUID) and the user logged into the App Store.
See here how you should validate the receipt:
https://developer.apple.com/library/mac/releasenotes/General/ValidateAppStoreReceipt/Introduction.html#//apple_ref/doc/uid/TP40010573
If you implement the GUID validation as described in the document, the app will not run on any other computer.
Also check the signature of your code to make sure it has not been tampered:
Verifying app's signature by code
Your application, when downloaded from the App Store, contains a receipt. The receipt contains proof that it was downloaded onto this computer from the App Store, and the ID of the application. There are instructions somewhere on Apple's website that tell you how to verify the receipt and what to do if the verification fails.
That said, you are much better off concentrating on writing an app that people actually want to buy. People who pirate your app wouldn't hand over money if it couldn't be pirated. They would do without it, pick some free app, or pick a different app that they can pirate.
And I'm quite sure that any copy protection you build into your app yourself will get it rejected from the App Store.
Even though the answers I've got were helpful, they didn't quite provide the answer I needed. Looking around I found a software called Receigen from Laurent Etiemble, and the FAQ on his site (http://receigen.etiemble.com/faq.html) gave many answers for what I was looking for. For instance
What is an App Store receipt validation ? Why is it needed ?
Basically, an App Store receipt is what an application must check to ensure that the copy is genuine and can be run.
What happens if I don't check the App Store receipt ?
Well, anybody with a copy of your application can run it, with or without proper authorization.
Is the code receipt validation easy to write?
No because it requires deep understanding of cryptography and secure coding techniques.
It didn't hurt either that Receigen generated code that freed me from dealing with receipt validation code. Receigen takes care of this part so I can focus on what is really important for me: my application.
Yes, it costs money but personally I am more than glad to pay it, because I find this part of the development tedious, boring and complex.
TPInAppReceipt is a great package for this.
I was able to easily add local receipt validation after trying many others solutions less successfully:
https://github.com/tikhop/TPInAppReceipt
I am trying to figure out if I am in a potential bind here. I am having someone else develop my app and I have given them complete access to my developer account to create the certificates to build the binary. I have uploaded the binary using the Application Loader and it it now waiting for review by Apple. My question is when it comes time to update the app, will I be able to do so without using the programmer who signed the certificate? When I become competent I'd like to do this myself but I'm clearly not there yet. I don't want to be in a situation where I have to keep going back to the same programmer to do the smallest thing.
Yes, provided you:
Have them send you the signing assets as described in "Exporting Your Code Signing Assets to Your File System" in the Xcode documentation. Note that they will still be able to sign using your key.
Have them send you the original project, obviously.
Once you part ways with them you should change the passwords of any accounts they've been given access to, like Apple ID and iTunes Connect.
At a later date, or as a last resort, you can create new signing assets as described in "Reset You Signing and Provisioning Assets..." in the Tools Workflow Guide.
So, most important going forward, they must not have access to any Apple accounts belonging to you.
I am currently experimenting with programming for my Nokia 5800 XpressMusic (running Symbian 9.4). Setting up the development environment (Carbide C++) was already a huge pain, but now that I am actually able to build something the pain doesn't stop! It seems there is an incredible overhead involved when you actually want to test an application on the phone. But I really hope somebody more experienced than me knows some easy way to do it.
If I understood right every application has to be signed. I can sign applications myself, so this is not a problem and it seems to work fairly well. But then it seems not all capabilities are available if I do this, and the one I need is amongst them. So now I have the option to buy a publisher ID to get a developer certificate (current cost: 200$ - no thanks) or I have to upload the application every time to symbiansigned! Every time I change the code and want to test on the phone I have to upload the thing using a stupid web form!
But now I was excited to find that you can do some remote debugging stuff with a thing called TRK (maybe this spares me the signing?). I hoped that I could use this to connect Carbide and my phone. But this doesn't quite work. My phone doesn't show the application required for this connection although it installed properly. I had a look at the supported Symbian version number and it seems to be 9.2, so not mine :( Stuck again?
And the emulator is no option because it doesn't support sensors and cameras :(
So what am I doing wrong (and sure there must be something)? Is the only way to test my app on the phone to actually upload it every time, wait for it to getting signed, download it again, install it and test - just to see it didn't work and that I have to repeat this process over and over again?? PLEASE no...
follow the instructions here http://www.forum.nokia.com/Distribute/Packaging_and_signing.xhtml to get yourself a free certificate for 5 testing devices, then you can use this certificate to sign your applications directly without using open sign.
When you use TRK, your application is still installed on the phone (in background, with so called silent installation API - by the way, you can use it too, but it's offtopic), because the only eligible way for a binary to get into the phone is the Installer Service. So you still need some certificate. All three options to get certificate mentioned here are ok, though the last, free one (from Mahdi Hijazi), I suppose, is the preferred. :)
Please go to
http://www.opda.net.cn/register.php
then apply for a OPDA Developer Certificate and download signer tool from the site and use it to sign your symbian applications.