Basically what I am trying to achieve is hosting a CSV file which will be retrieved and used by my application as a source of data to populate some tables. The CSV will be updated with the latest data, and I envision that every so often the app will get the latest version to ensure the data within it is up to date.
My question is around whether it is possible to ensure that this remote CSV resource is only used by my application?
Presumably if I just did a plan URL get on the location of the CSV this could be sniffed and the path used by others. I don't see how I could restrict access to it since users could be using the app from almost any connection.
If I use some sort of encryption on the file, would the decryption key(s) be possibly exposed if someone decompiled the java apk file?
Are there any other approaches to ensure my csv data source is only used by my app?
Thanks
(I am using a CSV because the data isn't very complex, and doesn't warrant a database, I've read a little about the App->webservice->database approach to this issue when using a database)
Part 1: Is It Possible To Remotely Access An Android Phone? The short answer is yes. You can definitely remote access an Android phone from a PC. There are multiple ways to remote access Android from a PC. You can either use third-party apps to remotely control your Android phone from your PC or you can use your Windows PC to do it.
The best option to host a Android App is Dedicated Servers hosting. I prefer Rackbank dedicated server hosting for best class configuration and support by the experts. This Amazon hack will save you money. The price Amazon shows isn't always the lowest.
TeamViewer TeamViewer is an exceptional remote access android app. Its reliability and ease of use make it a favorite among techies for remote accessing Android phones. TeamViewer lets users transmit files between desktop and Android mobile devices.
After you save alternative resources into directories named with these qualifiers, Android automatically applies the resources in your app based on the current device configuration.
the question you ask, should be: how hard can i make the crackers live? if you are distributing your app via the playstore, have a look at this question, even though it's marked off topic, the answers and links are valuable.
i assume, your app is not free (since the .csv seems valuable), so have a deeper look into the Licensing Verification Library and this blogpost, esp. the parts Technique: Offload license validation to a trusted server and Technique: Make your application tamper-resistant.
in short and as far as i understand it, the way you go is as follows:
see this question and lookup replay attacks and how to prevent it, to not let anyone replay a call that provided the csv or parts of it (e.g. sequence numbers per UID).
obfuscate your code as good as possible to make the work even harder, like @VinceFR mentioned already.
there are still some attacks, like these two:
even checksumming, using PackageManager
, apk signature etc pp won't do it for 100%.
but in fact, until the client first downloads the csv (or any other data) your data is save. it's even save, as long as you can trust your users (e.g. limited user circle of trust for an inhouse application or something, then you should prefer androids vpn options to access the file). after that, it's just a question of time and effort to put into cracking your app and getting the valuable csv - and the question is, if it's worth it for anyone to put that time into it.
an additional link providing more information and links on LVL by Justin Case.
have a nice read on all these links and remember: making it hard enough to make it unvaluable can't stop those crackers that are taking the value from success - what i mean is, cracking some kind of a "crack-proof" software is more valuable, even without getting paid or something, for some kind of people.
PS: see this answer on another question, for a "crack-proof" software - but even a website and it's data can be constantly duplicated, if it's worth it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With