Android In-app security recommendation - what does this mean?

Question

The Android developer says the following about storing your app public key in your project:

Security Recommendation: It is highly recommended that you do not hard-code the exact public license key string value as provided by Google Play. Instead, you can construct the whole public license key string at runtime from substrings, or retrieve it from an encrypted store, before passing it to the constructor. This approach makes it more difficult for malicious third-parties to modify the public license key string in your APK file.

Should this be self-explanatory? I don't understand what they want me to do.

They say the same thing in the comments of the example, but what the heck p they don't actually demonstrate what they mean by their instructions. Here's what it says:

Instead of just storing the entire literal string here embedded in the * program, construct the key at runtime from pieces or * use bit manipulation (for example, XOR with some other string) to hide * the actual key. The key itself is not secret information, but we don't * want to make it easy for an attacker to replace the public key with one * of their own and then fake messages from the server.

So how exactly might a person do this?

skygeek · Accepted Answer · 2013-06-20T05:23:45.590

2

android developer wants to say the "public key" you need to synchronize with google play for any of payment you want to do using your application, It should not be used directly inside your app source code because it can be easily hacked by any one. So one way is store your public key in the server side and once you get response from google play to verify the key send that response to server and perform your operation there at server.

       /**
       * String transformation by XOR-ing all characters by value.
       */
       static String stringTransform(String s, int i) {
       char[] chars = s.toCharArray();
       for(int j = 0; j<chars.length; j++)
        chars[j] = (char)(chars[j] ^ i);
         return String.valueOf(chars);
       }

edited Jun 20 '13 at 05:23

answered Jun 20 '13 at 04:09

skygeek

1,548
11
24

So google suggests "Instead, you can construct the whole public license key string at runtime from substrings, or retrieve it from an encrypted store," Is retrieveing it from a server "retrieve from encrypted store"? And what is a secure way to construct it at runtime from strings as described? – Plastic Sturgeon Jun 20 '13 at 04:19
1

Move all of the transaction validation logic to your server, and use HTTPS to connect to it. – skygeek Jun 20 '13 at 04:33
and for the string transformation you need to implement your own logic or for ex see updated answer. – skygeek Jun 20 '13 at 04:33
Thank you. I choose this answer because after reading it and the code example, I understand the documentation and how this is one implemenation of it. The goal is to hide the string to make it harder to find and maliciously substitute. – Plastic Sturgeon Jun 21 '13 at 06:50

score 1 · Answer 2 · answered Jun 20 '13 at 04:13

It's a very basic information that they are trying to say. Let's see this example:

Some developer might store there license as a string itself:

private static final String LICENSE_1="xxx-yyy-zzz"
private static final String LICENSE_2="xxz-yyz-zzz"
private static final String LICENSE_N="xxz-yyz-zzz"

private ArrayList<String> licenseList=new ArrayList<String>();

licenseList.add(LICENSE_N);

And they they might want user to enter their license number, so they will do something like this:

if(licenseList.contains(ExitText.getText().toString())
    //allow
else
   //disallow

Now I can decompile this app and get all the license :D

If you hadn't had anything like above in your code, the only way i could bypass your licensing is: if it's done locally could be by hacking into memory like GameCIH does. Memory hacking is only one example, there are various things attackers might do. You cannot stop them but, you can make their life harder.

That demonstrated the vulnerability. I get that. Strings decombile as strings. But what are they asking you to do to protect your app? They have specific suggestions, and I don't understand them. — Plastic Sturgeon, Jun 20 '13 at 04:17
Sorry I don't know much about how bitwise operation is done in code but, I can tell you about how your app can be cracked. As said this approach makes it more difficult. Let's say even if you had a bitwise operation implemented in your client side logic, If I decrypt your app I am still able to do whatever I desire to do with it because I can see your logic. I can then recompile your app and publish it to private app stores or file stores. — Milan, Jun 20 '13 at 04:35

score 1 · Answer 3 · edited May 23 '17 at 12:24

1

As already noted, security through obscurity does not work, so you can ignore the documentation.

edited May 23 '17 at 12:24

Community

1
1

answered Oct 01 '14 at 08:34

user2768

794
8
31

(I would have provided this answer as a comment, but I don't have sufficient reputation to do so.) – user2768 Oct 01 '14 at 08:35

Android In-app security recommendation - what does this mean?

3 Answers3