Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to remotely host a resource used in a Android app in such a way that it can only be used by my app?

Basically what I am trying to achieve is hosting a CSV file which will be retrieved and used by my application as a source of data to populate some tables. The CSV will be updated with the latest data, and I envision that every so often the app will get the latest version to ensure the data within it is up to date.

My question is around whether it is possible to ensure that this remote CSV resource is only used by my application?

Presumably if I just did a plan URL get on the location of the CSV this could be sniffed and the path used by others. I don't see how I could restrict access to it since users could be using the app from almost any connection.

If I use some sort of encryption on the file, would the decryption key(s) be possibly exposed if someone decompiled the java apk file?

Are there any other approaches to ensure my csv data source is only used by my app?

Thanks

(I am using a CSV because the data isn't very complex, and doesn't warrant a database, I've read a little about the App->webservice->database approach to this issue when using a database)

like image 662
Drake Avatar asked Jul 19 '13 14:07

Drake


People also ask

Is it possible to remotely access an Android phone?

Part 1: Is It Possible To Remotely Access An Android Phone? The short answer is yes. You can definitely remote access an Android phone from a PC. There are multiple ways to remote access Android from a PC. You can either use third-party apps to remotely control your Android phone from your PC or you can use your Windows PC to do it.

What is the best option to host an Android app?

The best option to host a Android App is Dedicated Servers hosting. I prefer Rackbank dedicated server hosting for best class configuration and support by the experts. This Amazon hack will save you money. The price Amazon shows isn't always the lowest.

Which is the best Android app for remote access?

TeamViewer TeamViewer is an exceptional remote access android app. Its reliability and ease of use make it a favorite among techies for remote accessing Android phones. TeamViewer lets users transmit files between desktop and Android mobile devices.

How does Android automatically apply resources based on device configuration?

After you save alternative resources into directories named with these qualifiers, Android automatically applies the resources in your app based on the current device configuration.


1 Answers

the question you ask, should be: how hard can i make the crackers live? if you are distributing your app via the playstore, have a look at this question, even though it's marked off topic, the answers and links are valuable.

i assume, your app is not free (since the .csv seems valuable), so have a deeper look into the Licensing Verification Library and this blogpost, esp. the parts Technique: Offload license validation to a trusted server and Technique: Make your application tamper-resistant.

in short and as far as i understand it, the way you go is as follows:

  1. upload your apk to google with your RSA public key.
  2. implement the LVL request inside your application (without encryption and without the private key inside the application package!**
  3. forward the lvl response to your server with post over a secured SSL connection
  4. on your trusted server, using your RSA private key you should check the things mentioned in the blogpost, esp. put the requested user IDs into a database and count the requests from a single UID, if it's much higher than average you can assume this user id to be the one that was used for invalid requests.
  5. don't reply if anything goes wrong with the check
  6. if everything is alright, reply with your csv. only persist your data on the android client, if you want the user to use the csv without connection, else any rooted device or cracked apk could gain access and redistribute the csv - better: only push requested parts(e.g. lines) of the csv to the user

see this question and lookup replay attacks and how to prevent it, to not let anyone replay a call that provided the csv or parts of it (e.g. sequence numbers per UID).

obfuscate your code as good as possible to make the work even harder, like @VinceFR mentioned already.

there are still some attacks, like these two:

  • root the device and inspect the stored csv, than redistribute - that's why you don't want to store your csv on the client
  • reverse engineer your app, log the hopefully complete csv they got and use it, probably remove LVL code to use your app for free - that's why you still have to obfuscate and send only the parts requested

even checksumming, using PackageManager, apk signature etc pp won't do it for 100%.

but in fact, until the client first downloads the csv (or any other data) your data is save. it's even save, as long as you can trust your users (e.g. limited user circle of trust for an inhouse application or something, then you should prefer androids vpn options to access the file). after that, it's just a question of time and effort to put into cracking your app and getting the valuable csv - and the question is, if it's worth it for anyone to put that time into it.

an additional link providing more information and links on LVL by Justin Case.

have a nice read on all these links and remember: making it hard enough to make it unvaluable can't stop those crackers that are taking the value from success - what i mean is, cracking some kind of a "crack-proof" software is more valuable, even without getting paid or something, for some kind of people.

PS: see this answer on another question, for a "crack-proof" software - but even a website and it's data can be constantly duplicated, if it's worth it.

like image 178
Christian R. Avatar answered Oct 20 '22 17:10

Christian R.