1

From this. We can't prevent reversing engineer. But how do we detect if app have modified and trying to access our server? Especially in iOS and Android.

Community
  • 1
  • 1
kitta
  • 1,723
  • 3
  • 23
  • 33
  • 1
    IF you can get your app's checksum from within your source code, that could serve as your app's fingerprint. But I can imagine hacker will just hardcode this before validating with your server. – user1506104 Sep 25 '16 at 10:11

2 Answers2

0

Something we have used with success for a while now is the following :

  1. During the compile phase, make MD5's of the DLL's & Executable and save them to a place the server can access.
  2. Before the client connects to the server, have it compute the MD5's as well
  3. OnConnect, send the MD5's to the server and have the server validate them

Since the correct MD5's should be a secret to the server, you will catch early attempts made to modify the code, and flag those accounts for further review. But even then an above-amature level dev will figure this out and just send the MD5's you are expecting.

It's not fool proof, but i honestly believe nothing is, all you can do is complicate it as much as possible, this does complicate things a little bit since the MD5's will change every time you publish an update, you could even hash the MD5 with the connectionID, which would make each connection's hash it sends to the server unique.

Using this approach will make it impossible to disabled/remove the checks, because the server always expects an MD5/Hash to be sent.

using (var md5 = MD5.Create())
{
    using (var stream = File.OpenRead("path-to-your.file"))
    {
        return md5.ComputeHash(stream); // returns the MD5 byte[]
    }
}

As the post you linked to said very well : You basically can't protect your application from being modified. And any protection you put in there can be disabled/removed, You can do different tricks to make hacking harder though.

Riaan Walters
  • 2,587
  • 2
  • 18
  • 30
0

I've closed this question. But I've an idea. Hope some of you consider and comment about this.

As the answer said.

You basically can't protect your application from being modified. And any protection you put in there can be disabled/removed, You can do different tricks to make hacking harder though.

Any protection in client can be removed.

How about

  1. Put the verification code on server.
  2. Download this code and run it at runtime. (each run must expect unique result)
  3. Send verification result to server for authorise it.

Because you have download a part of script. you have to download DLL from server side or alternative use this

kitta
  • 1,723
  • 3
  • 23
  • 33
  • This would not work, as even that can be circumvented, When would you do this? At startup? What happens when they do DLL Injection afterwards for example? – Riaan Walters Nov 15 '16 at 08:10
  • Yes dll injection that's worser than old problem :( – kitta Nov 15 '16 at 08:12
  • DLL injection is part of the old problem, there are a range of techniques to cheat, change, bypass or add to any client code, this is why I said It's impossible to protect completely, the only thing you can actively do is make it not worth their time. Make 100% sure that no critical code is running on the client which cannot be validated by the server. This to my understanding is your only reliable line of defense, but do not be fooled how well it works to make it a lot of effort to crack your code, it works for 99.9%, it's always just that last 0.1% which causes the problem. – Riaan Walters Nov 15 '16 at 08:26