3

I am building an Android application in which I will be consuming some of the Google APIs from the application itself. I have enabled billing and increased quota for some of the API's.

While creating the credentials I have selected Installed Application, Application type as Android and supplied the package name and SHA1 fingerprint. I just wanted to know how Google decides whether the request is getting originated from my own Android application.

Anybody who has my app installed on their device can get the APK by rooting the device and can get the SHA1 fingerprint and package name. Also by decompiling the code using some Dex tools one can extract the Client ID as well. As I have enabled billing for my account if anybody is able to get all these details they can start consuming API using my ID.

Please help me how this scheme avoids unauthorized application/system to consume API using my ID.

Creating credential for API consumption

martoncsukas
  • 2,077
  • 20
  • 23
Dungeon Hunter
  • 19,827
  • 13
  • 59
  • 82
  • 1
    I don't know how google does it. It's a trade secret. Fail Lost Packet Resend overflow. You've mentioned everything about reverse engineering an app except the most important part. Put a trace on the network to see how the api communication actually works. Think about a webservice can pull cookies from the browser and how you could use that technology. – danny117 Sep 29 '14 at 06:34
  • Yes i agree i missed that part. Thanks – Dungeon Hunter Sep 29 '14 at 06:35

2 Answers2

2

You are correct in that an attacker can get your signing certificate SHA1 fingerprint and ClientID, but fortunately this info alone is not of much use to attackers, because they do not have the private key your apk is signed with. This means that they can not create their own packages with the same fingerprint.

On android devices you are using google services via Google Play Services APK. This code sends requesting applications signing certificate fingerprint to Google backend servers. Your (or potential attackers) code do not provide this fingerprint when calling Google API-s. Certificate fingerprint is queried behind the scenes using package manager. Google backend compares received fingerprint with the one you registered. If it does not match, request is denied. All this communication is encrypted so traffic snooping does not work.

So, for the attacker to use your client id he has to manipulate android platform or Play Services APK so that incorrect certificate fingerprint is sent. This is not an easy task. Google Play Services is not open source, also Google very actively updates it and refuses to service requests from old versions. This means should some attack against Services APK appear in the wild they will release a new version.

Similar mechanisms are probably in place for Chrome and iOS.

Okas
  • 2,664
  • 1
  • 19
  • 26
0

Sort answer is: you can't. Longer response: move the important things to a secured web server... More and better tricks and explanations here How to avoid reverse engineering of an APK file?

Community
  • 1
  • 1
eduyayo
  • 2,020
  • 2
  • 15
  • 35