After a long hard work in developing an app, with a creative idea, then put it in the app store. I was shocked that my app was duplicated and reskined. OMG.
those peopple they just change the color theme and the app name then they put our app in their name.
Hense, Is there any technical solution, or an approach to prevent and to secure our app against this violation.
thank you in advance.
First of all, please check whether you enabled ProGuard to obfuscate your code when releasing. If yes, then it is time to switch to DexGuard (a commercial version of ProGuard). From my experience, it is still able to hack an application which turned on ProGuard (if you can read smalli code), but there is no way to attack an application which was protected by DexGuard.
Please refer this for more information: https://www.guardsquare.com/en/dexguard
This is called Reverse engineering because all resources that are reskined so called by you must be first extracted from application so you have to actually reverse engineering which is not completely stoppable how ever you can refer to this question this is what you are looking for
Related
Context
I have a Minix x88i Android computer (not relevant, but it's without internal NFC tech), connected to an external RFID reader (the ACR1252u from ACS). ACS provides an API for Android so I can communicate with my reader through my application. That works.
Goal
My goal is to be able to read ISO 14443 Type A cards ((Dutch) ID-cards and passports (aka ePassports)), and get the result in my application. The key to access these tags is the MRZ (Machine Readable Zone) visible on the ePassports, which can be hard-coded for now.
Problem
I'm a bit stuck on what my next step should be. I found the JMRTD API to help me access the ePassports, but I don't know how to use it after importing it in my application (mostly because I don't have a 'Tag' or 'Card' object or something). Applications I found using this either make use of importing javax.smartcardio.* or android.nfc.*, which both won't work in my Android application for a device without internal NFC.
Do I need to use JMRTD? No, if there are other libraries which do the same that I don't know about, please let me know!
You could help me by guiding me in the right direction on how to use JMRTD (or something else) for an Android application on a device without internal NFC, in combination with the ACR reader. A popular reader from them is the ACR122, if you have experience with that the chance is high that it will also apply for my reader! Or maybe you know of a project that does the same, so I can use that as a code example.
If I need to provide more information, please let me know. Thanks in advance!
Solved by extending the CardService class from SCUBA (dependecy from JMRTD) in my own class. Next I could create a PassportService from JMRTD, open it, select the application, perform authentication and read the data.
I ask this question because I couldn't find the answer I was looking for but simply put is there anything in place in the app store to prevent stolen code? I notice that there are a lot of clones on android which made me wonder whether they are directly ripped off or just so easy to replicate that they end up cloned.
Can people just simply download the apk file and reverse engineer it?
Is there anything google has in place that prevents this, or if there isn't, is there anyway that I myself can prevent it or make it more difficult for people wanting to steal my code?
I'm still new to Java and learning so it will be a while before I start this, but the project I have in mind will consume a large chunk of what little spare time that I have for a while, so I don't want to put a lot of time into it without proper measures only to have it stolen and sold for someone else's profit in a week.
If this has been answered before whether on this site or another please point me to there and delete this if necessary.
Well, you can do code obfuscation, so that on de-compiling the code, the logic is not obvious, so hard to maintain.
You can use the free version i.e. ProGuard or much powerful professional version DexGuard.
Here is an example which shows how to configure ProGuard when you are using libraries.
Retrofit+ProGuard.
I am making a secure application which should not run if the mobile device is stolen/lost, or the sim card is changed. If I programatically uninstall my app it prompts user whether she wants to uninstall it or not. I want this thing in a hidden way.
One more thing is to keep a file in assets/raw folder and when sim card is changed i must remove that file and my app will not run without that file. But deleting the files from both folders is not possible on run time.
All suggestions highly appreciated!
I know about password protection, cryptography, Pro-Guard, Dex-Guard, keep minimum functionality on phone. Guys I must need a way to remove the App! Please help on that point
Thankx in advance!
One more secure solution is to run your app on some Android x86 servers and to pipe in only the user interface to the phone.
Disclaimer: I've never used those guys, so I don't know how good they are. I just saw their lightning talk presentation at the most recent AnDevCon in San Francisco, and I just thought it was a clever idea.
One added advantage that this solution provides is that your employee's personal content doesn't get mixed in with the content of your company's. In hindsight, it's an old solution that has worked quite well for PCs and remote workers.
I'm not sure if this is exactly what you are asking for, but it may address your concerns. In general, the big concern with a stolen phone would be data. If you are concerned about someone else running your application, it seems that authentication should address that. A secondary concern is that someone could de-compile your code to learn details that could lead to exploitation. So here are 2 suggestions that address these concerns.
Use Progaurd to obfuscate your code. That way if the device is rooted and the APK is obtained, it cannot be de-complied (at least not into easily understandable code). Reference.
If you store any data in a database on the device, be sure to encrypt it. SQLCipher is a free library that will allow you to do so. Reference.
Answering some other interesting comments I was pinged about:
A couple of things:
I am that guy who gave the lightning talk in AnDevCon Stephan Branczyk mentioned, but I'm not a heavy stackoverflow user so I do not have the privilege to reply. 50 Upvotes for this comment and I may be able to answer inline :)
I will however give my insights on this, so if you are "paranoid" about security and want to read more about it from the founder of a "paranoid security vendor" - you can continue reading it.
Otherwise goto 7.
It is very important to understand that there is no catch-all solution - so do not be naive about it. All Android security best practices are great - but up to some point, as your Operating System (ROM, MOD,...) can, and will be compromised. I do not want anyone to panic - but there is NO perfect solution.
Stephan is right about Nubo's security design concept - if you violate the terms - your are out of the game. If you're out of network, or doing something suspicious - well - the device is not in control, no matter what. We aim towards satisfying both the user in their personal space, and the IT managers in the remote Android space.
It is very important for me to say clarify it is NOT a remote desktop. It's not even close to it - we have developed a Display protocol for Android from scratch - intended for the mobile environment. This is nothing like Remote Desktop/X11/VNC/... for "PC".
Should you need a "perfect" solution, you need to have a "trusted" device, which involves hard-core hardware support + secure bootloader + block verification chains etc. You can learn from the ChromeOS project if you are interested but I assume you are not willing to take it that far.
Answering the original answer: It depends on what phone. If you want
to use the PackageManager - you need your app to have a System
certificate, which means that unless you bundle it with your own
device, or do other tricky stuff I will not get into in this post -
you can't. What you can do is to use the BIND_DEVICE_ADMIN permission in your manifest,
and essentially register your app as an administrator (Something like MDM, etc.). Then, with some more trickery stuff you can handle your problem on the nominal case. You could bundle another app with that capability, and just invoke it from your app if you want to be on the very safe side.
*This post is already way too long and referring to too many questions so if you have further questions please go ahead and ask. I will try to reply before 2014...
step 1 : write a process to run in background
step 2 : make the process be active when cell starts
step 3 : check for internet connection or balance
step 4 : if internet available mail yourself phone specific details like IMEI ,MAC ,IP whatever you think is important ,
step 5 : locating GPS location would be very helpful
step 7 : recieve these mails from the mail id registered in your app
I see alot of post concerning the Android Jni but I still do not have a clear idea how to edit it. I have a Phonegap app that is having JNI Errors when loading a certain page.
From what I have read during research, I need to release the local storage. How do I do this, I am wondering.
All I see to do it but no real clear path on what to do.
If you were going to either release localRef strings or create a globalRef string What would you do?
Thanks ahead.
So you have already created 512 local references and you need to create more. You either have to release some of the ones you've already created, via DeleteLocalRef(), if that makes sense in your code, or else request more local slots, via EnsureLocalCapacity() or PushLocalFrame(). I prefer the latter in conjunction with PopLocalFrame(): many coding patterns fit into it, maybe yours.
I want to use an SDK in android, but I don't want that SDK to have any access to permissions that I haven't explicitly given it. On top of that, if the SDK throws an uncaught exception, I don't want it to bring down my entire application.
In C# there is the concept of an AppDomain where you can treat the code running inside of it like a sandbox, granting (or limiting) permissions, and only providing access to data that you explicitly want to share.
Is there anything that works like this in Java for the Android platform?
There are two questions here. The first one deals with handling exceptions in a piece of untrusted code; a carefully written try/catch block should take care of that, as long as the untrusted piece is pure Java. If native code is allowed, then nothing short of process level isolation would help. For running code in a separate process, read up on Android services; you can designate a service to run in a designated process. Then exceptions (the nonmanaged kind) won't bring down the main app. You'll just get a "service has died" exception.
A whole another issue is lowering the permission set. To the best of my knowledge, there's no way to lower the permission set within an app. Even a surrogate process won't help. If you ship a whole application (in the Android sense of the word) for wrapping and running custom code, that might help. But the logistics of app installation would get tricky. Google Market does not readily support the notion of app interdependence or prerequisites.
All the permissions you give to your app are the permissions that are allowed to otherwise it wont have permissions for almost nothing.
you set your permissions in your Manifest.xml otherwise than that you cannot set other kind of permissions.