The Android developer says the following about storing your app public key in your project:
Security Recommendation: It is highly recommended that you do not hard-code the exact public license key string value as provided by Google Play. Instead, you can construct the whole public license key string at runtime from substrings, or retrieve it from an encrypted store, before passing it to the constructor. This approach makes it more difficult for malicious third-parties to modify the public license key string in your APK file.
Should this be self-explanatory? I don't understand what they want me to do.
They say the same thing in the comments of the example, but what the heck p they don't actually demonstrate what they mean by their instructions. Here's what it says:
Instead of just storing the entire literal string here embedded in the * program, construct the key at runtime from pieces or * use bit manipulation (for example, XOR with some other string) to hide * the actual key. The key itself is not secret information, but we don't * want to make it easy for an attacker to replace the public key with one * of their own and then fake messages from the server.
So how exactly might a person do this?
The system manages Android application access to resources that, if used incorrectly or maliciously, could adversely impact the user experience, the network, or data on the device. These restrictions are implemented in a variety of different forms.
Google Play Protect checks your apps and devices for harmful behavior. It runs a safety check on apps from the Google Play Store before you download them. It checks your device for potentially harmful apps from other sources.
Mobile apps without security protocols put forth extreme risks to both users and developers as unprotected vulnerabilities may become targets to hackers for malware attacks or data breach. There are over 4.8 billion mobile phone users and if any virus goes viral, it can be harmful to the global digital community.
android developer wants to say the "public key" you need to synchronize with google play for any of payment you want to do using your application, It should not be used directly inside your app source code because it can be easily hacked by any one. So one way is store your public key in the server side and once you get response from google play to verify the key send that response to server and perform your operation there at server.
/**
* String transformation by XOR-ing all characters by value.
*/
static String stringTransform(String s, int i) {
char[] chars = s.toCharArray();
for(int j = 0; j<chars.length; j++)
chars[j] = (char)(chars[j] ^ i);
return String.valueOf(chars);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With