Suppose I have an an apk that I want to reverse engineer but there are some small problems regarding this. For instance if the application uses Google siging mechanism to signin into the app then I would not be able to signin after modifying the apk!
There are also couple of other reasons that why not to modify an apk with resigning it with custom keystore...!
Is it possible?
Or is there any other problem to tackle this?
It is not possible1 to modify an APK without invalidating the signature. That is the whole point of the signature.
However, the APK signature and Google's Sign-in service are different things. "Signing" and "sign-in" are different words with different meanings. From a theoretical standpoint (at least) an APK that has been modified should still be able to successfully use Google Sign-in.
Here are some background links on APK digital signatures and how they work:
Wikipedia: Digital signatures
APK Signature Scheme v2
APK Signature Scheme v3
1 - At least not currently. If someone manages to break the "crypto" that is used to implement the signature, then all bets are off. But we are probably OK for a few years ...
Related
I formerly signed jar files using a locally installed keystore as part of an automated build. I'm now faced with having to use a hardware-based device, due to recent changes to minimal code signing requirements, and while I've figured out how to do it, I'm seeing extreme slow-downs.
Just as one example, a jar file with 180 classes that I could formerly sign in about half a second is now taking about 30 seconds. As it's going, I see my token device's access light flashing a few times a second, presumably once for each class in the jar file.
Is there any way to speed this up, e.g. some way to reduce the token accesses to a single access for the entire jar file?
It was not an answer, but it is too long for a comment:
If your supposition of an access to the token for any file is correct, then it would mean the hash of the files is also being calculated in the device, not only the signature.
Does your PKCS11 device have a logging option that could show which pkcs11 calls are the device receiving (hash operations are called C_Digest in PKCS11) to confirm?
Maybe with the option mentioned in java keytool with opensc pkcs#11 provider only works with debug option enabled (I haven't tried it)
Since I don't know if there's any way to tell jarsigner to hash by software and to sign by hardware, if you can't find a better answer, maybe you can write your own provider: ( http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/HowToImplAProvider.html ) :
implementing a software hash (MessageDigestSpi, just forwarding the call to the default software java provider)
and a device signature (SignatureSpi, just forwarding the call to the PKCS11 provider configured in java ). I think it was Signature signature = Signature.getInstance("SHA1withRSA", "SunPKCS11") and so on. And analog for KeyStoreSpi.
And then call jarsigner with your provider as parameter.
Try adding -sigalg SHA512withRSA to your jarsigner options.
For further information, check my answer to a related question
One of my Android applications relies on another package to be installed as a license key. I could have gone with in-app purchases but key/license is the same for many of my apps.
In order to unlock some paid functionality in my app, I check for the existence of the package com.example.license. This works just fine but in order to add a an extra layer of rigidity, I would like to check that my package and the licence key package are signed by the same key be it debug or release. How can I check this? Is it as simple as calling PackageManager.checkSignatures?
here: Get certificate fingerprint from android app I've put some example how to get certificate from application. You just need to run this code against your app and the license package (just replace this.getPackageName with the com.example.license)
Is is possible to create a new APK by overloading/overriding and existing APK.
Say, we have WhatsApp messenger. Now if I want to show a notification like, "Person X is online now.", in notification area, it is not possible using the existing WhatsApp messenger. So, I'd like to develop a new custom messenger, which uses all the functionality of WhatsApp messenger, with some of my custom code. Just like importing JARs, can we import APK...??
This seems like using another persons work, but just from learning point of view, I'd like to know the possibilities. As of now, lets leave all the, security, vulnerability.
In a nutshell, no.
APKs are not like Jar files such that you can simply import them into your app. They also contain other resources like the XML and assets. The code is kept in a classes.dex file, which is generated from the Jar file of the app code.
Moreover, each app runs in its own DVM, and is sandboxed to prevent this kind of interaction between apps. You cannot simply use WhatsApp's code in your own app as a third party apps.
There are however two ways to achieve what you want.
If the app you are targeting provides an API by means of content providers, or even web services that you can use to access their data and events like users coming online. WhatsApp does not offer any such API
You decompile the target app, and insert your own code to do what you want. This can be very hard because most popular apps, like WhatsApp, obfuscate their code making it hard to decipher (but not impossible). Additionally, WhatsApp encrypts most of its data like messages, contacts, chat threads etc using AES, which adds an additional layer to bypass in some places. Oh, and it also violates several IP and copyright laws if you do this.
Yes and No.
There are a couple of ways for an app - a standalone one - to share its information with other apps. One is through the use of a content provider, the other through custom broadcasts.
If, say, WhatsApp has documented its app and was built such that you can build on it further, you can catch those broadcasts and listen to those providers such that your app can also react upon the changes made in WhatsApp.
you can create a config.properties file and insert it in Asset folder in your wattsup messenger assuming you have the source code,
Now you will have to configure your custom application to write that changes in this file, however you can change these data in several ways such as webservices that allows you to modify that data in that file through them .
ok with the above scenario, you can make the changes,but your application will never update that changes coz your dealing with an APK not a code,therefore you will have to re-generate the APK again so it will take the latest changes .
for an automated APK generating you can use ANT tools, by placing a build.xml file in your wattsp sources
code you can run that script which ant release that will generate the new APK with the latest code
as you said these are possibilities still but in my opinion in the end you cant use the APK as a library
I am currently developing an api for a website i run. The api will be used in a number of places, and one of those places is an Android app.
It's purpose is to allow users to login, and and download files. I have the api build, and it will be using HTTPS so all of the data is fine when being transferred.
The issue i am having is that the API calls require an API key. With this key you will be able to have access to certain functions of the API that may cause issues.
What i was wondering, is there a way to secure this API key? I am not an Android developer at all, but people will be using the API that are on Android so i need to work out a solution.
Below is an example of the flow that the API uses:
// Log the user in with their username and password (HTTPS, so not really an issue)
romhut.request('/api/users/login?apikey=KEY', {username : 'scott', password : 'password'}, function(r) {
console.log(r);
// Once you have the token, request the API key that allows actions such as downloading
romhut.request('/api/files/download?apikey=KEY', {token : r.token, file : file}, function(d){
console.log(d);
// Download the file
}, 'POST');
}, 'POST');
No. You cannot protect the API Key once you embed it into an Android application. The app needs access to the API Key, so someone with access to the app will be able to recover that key from within the app and use it for their own purposes. The best you can do is to obfuscate your app so that reverse engineering it is more difficult (the goal is to make it more difficult for the attacker to reverse your app than is worth his time). You need to decide how much effort in this regard is called for, based on the risk of an exposed API Key, but you can never make it impossible to recover, just more difficult. In reality, your best bet is most likely to turn on Proguard during your build process (so things are obfuscated to a decent degree in the APK with no work on your end) and hope for the best.
You should create a specific API key for each user. There is no really good way to secure data that is actually in the user's hands (Ask makers of copy protection about this) Then you can use HMAC to hash together the API key and the requested API and verify that the same thing happens on both ends. See: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code (PHP has a function for this.)
In fact it would be more accurate to say that there should be a many-to-one relationship between keys and users since you may have different and/or revoked keys for a user.
For an excellent overview, see: https://security.stackexchange.com/questions/18572/is-it-okay-for-api-secret-to-be-stored-in-plain-text-or-decrypt-able
Is Android keystore a direction to look at? Then, perhaps an encrypted string is posted to the API based on the key that is stored in android key store by the app at the time of installation. That way if there is a succesful decryption, it can serve the requests.
I am a final year student, i am trying to provide higher level of security at web login time for clients. So, i am looking for fingerprint authentication. Which means, wherever client wants to login he/she has to login using his/her fingerprint. (Assuming client is using digital persona personal fingerprint reader for finger scan). So, is it possible...? if it is, then how..?? Because, i googled my problem , but didn't get helpful material to implement on my project.
Unless your fingerprint reader specifically has support for this functionality, chances are that it's not possible. As a general rule, web pages are intentionally prevented from having direct access to hardware.
Also, see the comments on Online fingerprint authentication for some reasons why fingerprint authentication may not be quite so awesome as it sounds.
If you can access the fingerprint scanner from Java in the browser security context, then you could use Digital Persona's drivers. A problem may arise in that you will likely not be able to access the scanner from the browsers security context without the blessing of the user. Additionally, the Digital Persona drivers may require that you install extra software on the client's machine.
You would need:
A fingerprint capturing device (something like 30 USD to a few hundred USD depending on the spec)
A fingerprint matching SDK (download one that is in the public domain here)
Then you write:
Client code that captures and submits fingerprint images.
Server code that receives a person's fingerprint image at registration, converts that into minutiae data, checks that quality of the image/minutiae to make sure the fingerprint minutiae is usable, then stores it in the DB.
Receives a person's fingerprint image at login, converts that into minutiae data and matches that with the fingerprint in the DB by calling the matching library. Usually you will get a matching score back, with which you can decide whether you consider it the same identity by using a threshold (if score > threshold then authenticate, etc.)
That's the basic idea. The link I provided should have all the libraries you need. Note also that you might need to process the image captured by the capturing device so that you can use it with the libraries.
Biometrics isn't easy. Even if you have the libraries, you can't just use them without careful planning/tuning etc. So it's not like you are good to go to build a production app. just because you have these libraries. It's quite different from say, using Hibernate as a library. So if you are just interested in quickly adding this functionality on your app., you should reconsider because it will take a lot of work to make this work. If you are prepared to understand how these libraries work, play around with image processing, learn about biometrics etc., then it might be fun :)
There are probably libraries out there that you can buy (probably together with the capturing hardware) which will make this process much easier, but they are very expensive.