1

I'm writing a ringtone gallery app which ringtones reside on a server and they can be downloaded by user.

What I want is to check and verify if the connection is really from my app not other apps or a HTTP request generator. for example I don't like someone write an app that uses my back end and show his ads in the app. It's like image leaching in web site which is prevented by checking the referrer.

It's not possible to insert a key in the app as android apps can be decompiled so easily. I thought of gaining the app signature and send it's hash as a key, but it's like any app can access other apps signature hash.

what about writing part of app which do the communication in native code? is it decompilable as easy as java code?

I really can't think of any other way and I don't like others use my resources for their benefit.

Ali
  • 21,572
  • 15
  • 83
  • 95
  • It's not possible to be *absolutely* certain that the app is yours - see [here](http://stackoverflow.com/questions/4842709/android-verifying-the-applications-integrity-on-the-server-side?rq=1) and [here](http://stackoverflow.com/questions/10155316/how-to-verify-that-server-calls-are-being-made-from-the-app?rq=1). If what you're really asking is how to be *reasonably* certain the app is yours, in other words what best practices do other android developers use, then I too would like to know the answer... – DevOfZot Jun 17 '13 at 23:07
  • @DevOfZot I've seen both links, not a safe method. What about implementing communication part of the app in native code beside using https. I think decompiling native code is much harder than java which is decompiled so easily with dex2jar? – Ali Jun 17 '13 at 23:13

1 Answers1

3

There are a couple of things you can do.

  1. Create your own Certificate Authority, ship a certificate with your app and use two-way TLS authentication. This does not protect against decompilation and reverse-engineering but protects traffic en route.
  2. Use the advice in this slide deck to detect modifications and debuggers.
  3. Use Jelly Bean's hardware-backed secure storage.

At the end of the day, though, DRM is a lost battle. If the user has root access, all bets are off, with or without obfuscation (which native libraries are). The only question is how important is your data. For 90% of applications, running it through ProGuard makes it nearly impossible to untangle (especially if you use data flow obfuscation). Along with the certificate approach, that should suffice for most things.

Alternatively, try to change your model, so that you're authenticating the user and not the app - that's far simpler!

Delyan
  • 8,881
  • 4
  • 37
  • 42
  • What about it? It's not panacea, it's still decompilable, just a bit harder. You're not making anything "secure", just obfuscating things and making the app overall much harder to maintain. – Delyan Jun 17 '13 at 23:25
  • so, there is no way in general. – Ali Jun 17 '13 at 23:29
  • None, if the device is rooted. With the points I've listed, you'll get very close to unbreakable for any consumer data on a non-rooted device. By the level of your question (no offence meant), I suspect the data won't be *that* secure. As an aside, my bank's app heavily uses ProGuard and implements their own RSA encryption from first principles (you get e and n from a REST API in base64). This of course doesn't help with the security at all but it makes it *damn difficult* to reverse-engineer (enough that I've given up my casual attempts). – Delyan Jun 17 '13 at 23:34