So how can I get md5 of dex file in runtime? On Jul 11, 6:39 pm, Raghav Sood <[email protected]> wrote: > Probably not the best method but you can have it send an md5 of its contents > to your web server, generated at run time. If the md5 matches the md5 you > have on your server pre defined then its authentic. The md5 will be > different for all versions of your app and you must only generate it using > non changing resources. Preferably using your dex file as that will return a > different md5 if a hacker changes its contents. > > > > > > > > > > On Mon, Jul 11, 2011 at 7:58 PM, Richard <[email protected]> wrote: > > Ok, but is there any way to be sure that it's the original package? I > > use open key to encode data in my app so hacker never sees comparison > > explicitly, but of course if he know my signature open key this > > doesn't help. What can you advise? As I see Android does everything to > > make all our efforts useless - even with ProGuard. Using several tools > > everyone can open your package, almost restore source files, > > resources, edit the code and compile again. Virtually no way to fight > > against piracy. But I thought if I can check modifications, I'll have > > the cure. > > Do you happen to know is there a way to check package's CRC? > > > On Jul 11, 6:01 pm, Kostya Vasilyev <[email protected]> wrote: > > > I don't believe that hackers use the API - they process your application > > at > > > another computer, and create a new package, signed with a new key. > > > > The hacked package has code to intercept that PackageManager call, and > > > return your original signature. > > > > -- > > > Kostya Vasilyev > > > 11.07.2011 17:54 пользователь "Richard" <[email protected]> написал: > > > > > Hi all, > > > > using this code: > > > > > PackageManager pm = getPackageManager(); > > > > try > > > > { > > > > PackageInfo info = pm.getPackageInfo(getPackageName(), 64); > > > > Signature [] sig = info.signatures; > > > > sigstring = new String(sig[0].toChars()); > > > > } > > > > catch (Exception e) > > > > { > > > > e.printStackTrace(); > > > > } > > > > return sigstring; > > > > > I can get signature of every package in the system. > > > > > How can I deny other apps (except my apps and Android system) to read > > > > my package signature? > > > > I want to make sure it is original app, not changed by hacker (i.e. > > > > signed by my own private key) when run. But for now I see that hacker > > > > can easily patch my code by embedding signature, he read from my > > > > original package. > > > > Maybe there is another way to make sure package is original? > > > > > -- > > > > You received this message because you are subscribed to the Google > > > > Groups "Android Developers" group. > > > > To post to this group, send email to > > [email protected] > > > > To unsubscribe from this group, send email to > > > > [email protected] > > > > For more options, visit this group at > > > >http://groups.google.com/group/android-developers?hl=en > > > -- > > You received this message because you are subscribed to the Google > > Groups "Android Developers" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected] > > For more options, visit this group at > >http://groups.google.com/group/android-developers?hl=en > > -- > Raghav > Soodhttp://www.raghavsood.com/http://wiki.androidappcheck.com/http://www.telstop.tel/https://market.android.com/developer?pub=Raghav+Sood
-- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
