This question already has answers here:
How to avoid reverse engineering of an APK assets folder resources items file?
(2 answers)
Closed 6 years ago.
I've a question related to Data security in Android development. Right now i am working in an application where i need to keep an existing database in assets folder so App can copy it in to the internal writable location to avoid the large database download from server during first time installation. But unfortunately using APK decompiling tool one can view the files in assets folder included this database file. Is there a way to prevent my assets-files from being decompiled so Data security can be assured in my application. Any help would be highly appreciated. Thanks.
Simple answer is no . there will always be some way where a potential hacker can do it's tricks though you can make it harder by using some 'encryption' schemes mean you can encrypt your data with some special key,then with the key you can encode and decode your data so better place to keep things more secure is nactive libs means you using native(c,c++) code which should contain your sensitive data and generate libs, by doing this you are adding an another layer of encryption because reverse engineered native form of native libs are quite hard to read.
Related
I'm accessing Dropbox API to upload and download files using Java. Now, I need to create a function which can append data to existing Dropbox file.
I've a working code which first downloads a file and then uploads it with the text appended. However, is there is a better way to do this, because my code has is inefficient?
Thanks in advance. :)
Conventionally there is no support for direct file editing in Dropbox, so what you looking for is not supported in existing APIs of Dropbox, possibly what you are doing currently,
first downloads a file and then uploads it with the text appended
is the best (and the only) way of modifying files in Dropbox cloud.
But apart from this it does support file revision mechanism, which can be achieved with help of /delta, /revision
A way of letting you keep up with changes to files and folders in a
user's Dropbox. You can periodically call /delta to get a list of
"delta entries", which are instructions on how to update your local
state to match the server's state.
https://www.dropbox.com/developers-v1/core/docs#revisions
Best Luck :)
This question already has an answer here:
Prevent Mp3 file to play in another Media player
(1 answer)
Closed 9 years ago.
I am needing to build an Android application that has music/audio files downloaded from a webservice and ultimately stored on the filesystem for playing within the app, but I need to prevent the user from being able to access and play the files, rooted or not.
My first instinct is to encrypt them before storing to the filesystem, but I'm not sure which encryption algorithms I should be focused on, as well as whether it makes a difference that these are binary files being encrypted vs. plain text files (I'm reading posts about encryption not working correctly for audio files).
Is there a better way to approach this kind of thing? I see a similar question to this has been asked, but it unfortunately has no solid answers:
How can I store music on an android phone without allowing the user to be able to download it and use it?
My apologies if I have overlooked how this can be accomplished. Any advice would be greatly appreciated!
You are asking how to create a DRM system. It is a controversial topic, and there is no direct answer. The site Defective by Design discusses the negative aspects to DRM systems from the perspective of the user.
The answer to your question really depends on how you define "the user". If you mean the average, ordinary user, you could really encrypt the file any way you like. Even something as trivial as XORing the file would work.
However, if the "user" you are talking about is a determined individual with a decent amount of knowledge and technical aptitude, the simple answer is that you can't. It is trivially easy to get the java source out of a .class file so anyone who really wants to get at those files can look at your code to find out how you encrypted it and then reverse engineer it.
Simply put, if your client can read the file, any user who has the client can read the file (with or without using your client).
I am making the setup of java swing application by using Inno Setup as an exe i am selecting the jar file of my project, I am also adding other necessary resources as folder.
When I am installing the setup on the client side. it is putting the jar and other
resources in program files folder but there client can extract the my java classes
and other resources from jar. I want that client can only use the resources by
application program but he could not extract the resources. How is it possible?
There is literally nothing you can do to entirely prevent someone from extracting the resources.
The best you can do is to make the process a bit difficult; e.g. by storing the resources in the JAR file in encrypted form. The problem is that your program would need to decrypt the resources in order to use them. Someone with sufficient skills and patience can reverse engineer your decryption code and capture the unencrypted resources.
By the way, this is not a Java-specific problem. Any application that you provide to a user as an executable can be reverse engineered ... assuming that the user has the wherewithal to run it in the first place.
The bottom line is that if you are not prepared for the possibility that someone might extract the resources, you should not distribute the executable.
This question already has answers here:
Recommended way to save uploaded files in a servlet application
(2 answers)
Closed 7 years ago.
Here is my situation:
My table must have an button to show images, I am inserting data in database containing only the name of the image file (filename.jpg) and not an specific path, the server will show it based in what context it is in real server or not. For it after a long search I found the method getServletContext().getRealPath("/images") who finds the context where the paste is located, for example local host or real one (at least that's what I understood).
But, when I am at localhost it's showing this context for the method
getServletContext().getRealPath("/images"):
C:\Documents and Settings\josue\Meus documentos\workspace.metadata.plugins\org.eclipse.wst.server.core\tmp0\wtpwebapps\testeDeFuncoes\images\file.jpg
I deduce it's calling context of a temporary folder, that was made only for localhost test.
To recover it in localhost I think will work, but in real server will work it work, I think not, right?
Can I put in Webcontent in dynamic way that when I export WAR file it is stored in file and when upload it works no matter of what location server decides to choose. If not, what is generally used to do it a webpage in the most cases?
You might consider storing the images in the database, depending on your needs, see Storing Images in DB - Yea or Nay?
I'm personally a big fan of storing images in a database and caching them in a temporary directory on the local filesystem.
Either way you should have a reliable known canonical place to store the images. If you're not storing them in a database, decide on a non-temporary directory, or make it configurable.
The webapp may be served from a war file, and servletContext.getRealPath(...) is unlikely to return a reliable place to store anything.
I'm currently developing an application for a company which includes livescoring. The XML-files I access (from the net like: "http://company.com/files/xml/livescoring.xml") are not intended to be public and should only known to me.
I was wondering if it is possible for anyone to decode the .apk file and read my original .java files (which include the link to the XML files).
So, I renamed the .apk file to .zip and could access the "classes.dex", which seemed to include the .java files (or classes). Googling led me to a tool named "AvaBoxV2" which decoded this "classes.dex" file. Now I have a folder including an "out" folder where files named .smali exist. I opend one of these with an editor and finally there is the link to the xml file. Not good. :(
Is there a way to encrypt my app or the classes.dex file? I don't want to tell that company, that anyone can access the original xml-files. Maybe signing the app probably helps?
Also, do you know a really noob-friendly tutorial to prepare apps (signing, versioning,...) for Google Market?
Thanks in advance!
The .java source code is not included in the APK.
It is possible to disassemble the Dalvik bytecode into bytecode mnemonics using a tool like baksmali, but there's no way a user can recover the original .java source.
Furthermore, you can use a tool like proguard (included in the Android SDK) to obfuscate your byte code, making it hard to interpret the behavior of the disassembled bytecode.
You can make small tricks too, like storing the link string in some sort of obfuscated form, and then de-obfuscating it at run-time in your app (a simple example would be to use base 64 encoding, but someone could probably reverse that quickly if they wanted to).
That said, it's pretty trivial for someone to run tcpdump and sniff the network traffic between your device and the server, and get the URL that way, so there's no way to completely prevent anyone from getting this value.
Yeah, its impossible to fully prevent something like this. Its the same on a desktop application, or any other application.
As mentioned, obfuscation will help, but people who are persistent can still get past it. Especially for something like a url like that.
One solution of making it much more tricky for hackers is to use PHP on your webserver and some sort of token system to determine if the request is coming from your app or not... That would get a bit tricky though, so I don't really suggest it.