1

I have read a few examples on SO for securing client / data. But we have a little bit different issue, and not sure where to look.

Basically we have an android game which is a geo-location based game. We use HMAC-SHA1 to the query string to verify that the data being sent from the client is in-fact from the client. There is a small issue. The HMAC-SHA1 key. I can obfuscate till my hearts content, but the key remains in the app. Someone can easily de-compile the app, grab the key, and then send manual queries by a browser for their user account (spoofing GPS).

I saw one example where someone suggested client & server side ssl authenication. Not sure how that would work, would you not just need to attach a ssl cert to the app? Would this not be subject to de-compiling also, it would require the end user to re-compile / use the cert?

Can we some how use the package manager to get the self signed cert? I need to find out the correct way to secure our transmission so someone can't fake their transmissions for their own user account..

Thanks

Chrispix
  • 17,941
  • 20
  • 62
  • 70
  • So, I found this : http://stackoverflow.com/questions/5578871/android-how-to-get-app-signature But it looks like anyone can get the hash of your own signed app, using the same methods. So that seems like a bit of a bummer. Any other ideas? – Chrispix Apr 22 '12 at 19:52

1 Answers1

1

To authenticate the client, it needs some form of credentials. You can either:

  1. don't save the credentials and have the user input them every time
  2. save them somewhere
  3. use system credentials
  4. use some form of an identity provider

1 is inconvenient, 2 i subject to attacks as long as someone has physical access to the device. For 3, you could use the user's Google account so you can be (pretty) sure who they are and block them if there are any problems/attacks. 4 really a variation of 3: the user will authenticate to some third-party service and it will only issue an (temporary) access token. So if the account is compromised the token will eventually expire and/or be revoked (look into OAuth). Consider the risks and amount of work to implement and take your pick.

As for using client certificates, you can store them encrypted, so you need to provide a passphrase to use them. On pre-ICS you need to implement this yourself, on ICS you can use the system key store via the KeyChain API. You will only get access to the private key after you unlock the device (uses the unlock password/PIN to protect keys) and the user explicitly grants permission.

If you want to stick to you current way of doing things, implement the HMAC part in native code (OpenSSL, etc.), and generate the key at runtime by combining bits of it. That would make it fairly hard to reverse engineer. Additionally, you might want to add some sort of a nonce, so that requests cannot be replayed.

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • So it sounds like to provide a solution on more than just ICS, the route we are going is probably the way to go. I am wondering if we did something in native code, but maybe did something against the hash of the signing signature. That way the actual key is not saved, but it is generated by multiple parts. (or doing something like nonce + hash + some algorithm all done in native). Any idea if the package manager api's are available in native? I am guessing not, would have to write a jni interface to them. – Chrispix Apr 23 '12 at 03:39
  • What are you trying to authenticate? The user? The device? The transaction? If it is the device, you could derive a key from any (or a mix of) device properties (IMEI, MAC address, etc.) Don't think there is a native PackageManager, but I haven't checked really. – Nikolay Elenkov Apr 23 '12 at 03:43
  • I guess I am trying to authenticate the client (app, not phone) & user. – Chrispix Apr 23 '12 at 18:17
  • For authenticating the app, doing something based on signature value might work. That should weed out repackaged apps. You could probably get the signature by using zlib or similar to extract it from the APK. Something similar (for CRC) is presented here: http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en//events/io/2011/static/presofiles/dgalpin_android_pirates_and_vampires.pdf – Nikolay Elenkov Apr 24 '12 at 03:08
  • I will check out zlib, that should help out. Thanks. – Chrispix Apr 24 '12 at 14:59