0

I have an Android app and I'm saving highscores simply in Shared Preferences. On a rooted device, you can just edit the XML and modify the score. Because in next update I'm planning to add Google Play Leaderboards, I need to store them safely. Now, I'm just saving it and a salted hash of it. But there's one problem: It is possible to decompile it using decompileandroid.com easily and read the way how I'm salting it and reproduce the process afterwards.

I want to be able to sync highscores which were made offline. It's really simple app that is definitely supposed to be played in a bus or train.

tensojka
  • 302
  • 1
  • 5
  • 20
  • i think Google Play Service will take care if you will use it – Jemshit Apr 08 '15 at 18:50
  • I they won't. I still need to store the highscores offline to be able to sync them after the app is launched when your phone is online. – tensojka Apr 08 '15 at 18:57

2 Answers2

0

You can use internal storage. The details are in the oficial android developer site: http://developer.android.com/training/articles/security-tips.html

I hope it helps.

ARP
  • 531
  • 3
  • 8
  • It won't help. If somebody roots the device, the files will be accessible. – tensojka Apr 09 '15 at 18:10
  • Right now I think there is no way to have an app 100% secure. In any way, you can use some secure tecniques at the same time to increase the security of your app. One of them is ofuscate the code for avoid understanding the code when you decompile an app. It's not 100% secure but the time to understand the code increases a lot. You can use ProGuard: http://proguard.sourceforge.net/FAQ.html – ARP Apr 14 '15 at 17:50
0

Since the customer is in control of the device, and the game is played offline, it will always be tamperable. There is no storage on the device that root cannot access, and there is no way to fully obfuscate client side code so that the user can't reverse engineer it. Your options are to 1) change your design and require closer server-side integration to detect cheating, or 2) to attempt to make it more difficult by obfuscating the APK, and putting in bypassable protections like you have suggested with the integrity checking hash.

Alex Lauerman
  • 2,152
  • 1
  • 13
  • 10