6

Basically what I am trying to achieve is hosting a CSV file which will be retrieved and used by my application as a source of data to populate some tables. The CSV will be updated with the latest data, and I envision that every so often the app will get the latest version to ensure the data within it is up to date.

My question is around whether it is possible to ensure that this remote CSV resource is only used by my application?

Presumably if I just did a plan URL get on the location of the CSV this could be sniffed and the path used by others. I don't see how I could restrict access to it since users could be using the app from almost any connection.

If I use some sort of encryption on the file, would the decryption key(s) be possibly exposed if someone decompiled the java apk file?

Are there any other approaches to ensure my csv data source is only used by my app?

Thanks

(I am using a CSV because the data isn't very complex, and doesn't warrant a database, I've read a little about the App->webservice->database approach to this issue when using a database)

Drake
  • 1,938
  • 3
  • 18
  • 26

5 Answers5

14

the question you ask, should be: how hard can i make the crackers live? if you are distributing your app via the playstore, have a look at this question, even though it's marked off topic, the answers and links are valuable.

i assume, your app is not free (since the .csv seems valuable), so have a deeper look into the Licensing Verification Library and this blogpost, esp. the parts Technique: Offload license validation to a trusted server and Technique: Make your application tamper-resistant.

in short and as far as i understand it, the way you go is as follows:

  1. upload your apk to google with your RSA public key.
  2. implement the LVL request inside your application (without encryption and without the private key inside the application package!**
  3. forward the lvl response to your server with post over a secured SSL connection
  4. on your trusted server, using your RSA private key you should check the things mentioned in the blogpost, esp. put the requested user IDs into a database and count the requests from a single UID, if it's much higher than average you can assume this user id to be the one that was used for invalid requests.
  5. don't reply if anything goes wrong with the check
  6. if everything is alright, reply with your csv. only persist your data on the android client, if you want the user to use the csv without connection, else any rooted device or cracked apk could gain access and redistribute the csv - better: only push requested parts(e.g. lines) of the csv to the user

see this question and lookup replay attacks and how to prevent it, to not let anyone replay a call that provided the csv or parts of it (e.g. sequence numbers per UID).

obfuscate your code as good as possible to make the work even harder, like @VinceFR mentioned already.

there are still some attacks, like these two:

  • root the device and inspect the stored csv, than redistribute - that's why you don't want to store your csv on the client
  • reverse engineer your app, log the hopefully complete csv they got and use it, probably remove LVL code to use your app for free - that's why you still have to obfuscate and send only the parts requested

even checksumming, using PackageManager, apk signature etc pp won't do it for 100%.

but in fact, until the client first downloads the csv (or any other data) your data is save. it's even save, as long as you can trust your users (e.g. limited user circle of trust for an inhouse application or something, then you should prefer androids vpn options to access the file). after that, it's just a question of time and effort to put into cracking your app and getting the valuable csv - and the question is, if it's worth it for anyone to put that time into it.

an additional link providing more information and links on LVL by Justin Case.

have a nice read on all these links and remember: making it hard enough to make it unvaluable can't stop those crackers that are taking the value from success - what i mean is, cracking some kind of a "crack-proof" software is more valuable, even without getting paid or something, for some kind of people.

PS: see this answer on another question, for a "crack-proof" software - but even a website and it's data can be constantly duplicated, if it's worth it.

Community
  • 1
  • 1
Christian R.
  • 1,528
  • 9
  • 16
5

In addition to all the other answers here, there is a post on the Android Developer's Blog titled "Verifying Back-End Calls from Android Apps" which should be of interest to you too, just in case you haven't come across it yet.

Joe
  • 14,039
  • 2
  • 39
  • 49
3

No, it is not possible.

As you suspected, your app can always be reverse engineered to reveal how to obtain the resource.

ntoskrnl
  • 5,714
  • 2
  • 27
  • 31
3

If you use a homemade encryption(based on well-known encryption types), others apps could read your CSV file, but your app will be the only one to understant it. To increase reverse-engineering complexity of you encryption code, you can create an encrypter which mix Java and C (use JNI), and of course, don't forget to use proguard or another obfuscator.

VinceFR
  • 2,551
  • 1
  • 21
  • 27
1

As mentioned, if your app can reach the data then with some effort 3rd parties can reach it too.

However, a low tech solution could simply be setting the http referer to your app and checking that on your server.

It will only keep out lazy unauthorized users but for some use cases the return/effort ratio may be good enough.

Rhythmic Fistman
  • 34,352
  • 5
  • 87
  • 159