I tried looking up what an Android key hash on Google.
But all I got was how to generate it, not what actually what it is. Can anybody give a simple explanation of what this key hash actually is and why Facebook needs you to generate one to run samples and your own application?
Can anybody give a simple explanation of what this key hash actually is..
The key hash is a machine specific security check for authenticity. If you use multiple machines for development of the application, you need to add and save multiple key hash to your profile to authenticate every machine.
From the Facebook Documentation page:
..The key hash is used by Facebook as a security check for authenticity. By default, the app's package is signed with a machine specific debug key. When publishing the app it is typically signed with a different, release key. Therefore, you want to make sure you have the hashes of all the related keys set on Facebook...
...Note that you can add multiple key hashes here if you are developing with multiple machines. You will now be able to compile and run all of the authentication-based samples on your emulator without issue.....
(Emphasis mine)
Why does Facebook need you to generate one in order to run samples and your own application?
It's an authentication key to identify registered developers.
How to get key hash of your device?
If your using eclipse then go into window menu > preferences > android > build >
then on right side you will get your machines md5 and sha key which is your
hash key for facebook i think you need to provide your SHA key as a hash key for facebook
this is the very simple way to get your key hash rather than complex command tool process
what is key hash?
it is key associated with your device which is unique key to identify your device so when you provide it to facebook (in your case facebook) then they generte application key against your keyhash so only your machine able to generate the apk with runable output i mean facebook functionality will able to run with its full functionality
such kind of key hash also needed in google project also
NOTE: Never disclose your keyhash to anyone
hope this information will clear your doubts happy coding :)
Related
Suppose I have an an apk that I want to reverse engineer but there are some small problems regarding this. For instance if the application uses Google siging mechanism to signin into the app then I would not be able to signin after modifying the apk!
There are also couple of other reasons that why not to modify an apk with resigning it with custom keystore...!
Is it possible?
Or is there any other problem to tackle this?
It is not possible1 to modify an APK without invalidating the signature. That is the whole point of the signature.
However, the APK signature and Google's Sign-in service are different things. "Signing" and "sign-in" are different words with different meanings. From a theoretical standpoint (at least) an APK that has been modified should still be able to successfully use Google Sign-in.
Here are some background links on APK digital signatures and how they work:
Wikipedia: Digital signatures
APK Signature Scheme v2
APK Signature Scheme v3
1 - At least not currently. If someone manages to break the "crypto" that is used to implement the signature, then all bets are off. But we are probably OK for a few years ...
At this Android Developers link it is stated that
The value of ANDROID_ID does not change even if a system update causes the package signing key to change.
Can a system update change an app's package signing key? And if so, how?
The only way a system update could change a package's signing key is if that package is in the system image. A normal app (that is, one downloaded from the app store that is not part of the system image) would not have its signing key changed.
That is to say: a system update, without a factory reset or a reinstall of the app, will not change the app's ANDROID_ID, and it won't change the signing key either, except possibly if that app is included with the system image.
I cannot link my android app project with firebase console. Because every time when I create a new project and generate an SHA-1 key, it generates same key for every project.
I stuck in it and didn't find an answer. Please Help me
I think you are doing mistake while generating the SHA-1 Key, as we know there already located debug.keystore for default keystore use, so when ever you fire the code for SHA-1 then there default keystore (debug.keystore) will use.
so may be due to this reason you have every time same SHA-1.
Please follow this link, here describe how to find the SHA-1 using Android Studio also inside android studio.
One of my Android applications relies on another package to be installed as a license key. I could have gone with in-app purchases but key/license is the same for many of my apps.
In order to unlock some paid functionality in my app, I check for the existence of the package com.example.license. This works just fine but in order to add a an extra layer of rigidity, I would like to check that my package and the licence key package are signed by the same key be it debug or release. How can I check this? Is it as simple as calling PackageManager.checkSignatures?
here: Get certificate fingerprint from android app I've put some example how to get certificate from application. You just need to run this code against your app and the license package (just replace this.getPackageName with the com.example.license)
I am currently developing an api for a website i run. The api will be used in a number of places, and one of those places is an Android app.
It's purpose is to allow users to login, and and download files. I have the api build, and it will be using HTTPS so all of the data is fine when being transferred.
The issue i am having is that the API calls require an API key. With this key you will be able to have access to certain functions of the API that may cause issues.
What i was wondering, is there a way to secure this API key? I am not an Android developer at all, but people will be using the API that are on Android so i need to work out a solution.
Below is an example of the flow that the API uses:
// Log the user in with their username and password (HTTPS, so not really an issue)
romhut.request('/api/users/login?apikey=KEY', {username : 'scott', password : 'password'}, function(r) {
console.log(r);
// Once you have the token, request the API key that allows actions such as downloading
romhut.request('/api/files/download?apikey=KEY', {token : r.token, file : file}, function(d){
console.log(d);
// Download the file
}, 'POST');
}, 'POST');
No. You cannot protect the API Key once you embed it into an Android application. The app needs access to the API Key, so someone with access to the app will be able to recover that key from within the app and use it for their own purposes. The best you can do is to obfuscate your app so that reverse engineering it is more difficult (the goal is to make it more difficult for the attacker to reverse your app than is worth his time). You need to decide how much effort in this regard is called for, based on the risk of an exposed API Key, but you can never make it impossible to recover, just more difficult. In reality, your best bet is most likely to turn on Proguard during your build process (so things are obfuscated to a decent degree in the APK with no work on your end) and hope for the best.
You should create a specific API key for each user. There is no really good way to secure data that is actually in the user's hands (Ask makers of copy protection about this) Then you can use HMAC to hash together the API key and the requested API and verify that the same thing happens on both ends. See: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code (PHP has a function for this.)
In fact it would be more accurate to say that there should be a many-to-one relationship between keys and users since you may have different and/or revoked keys for a user.
For an excellent overview, see: https://security.stackexchange.com/questions/18572/is-it-okay-for-api-secret-to-be-stored-in-plain-text-or-decrypt-able
Is Android keystore a direction to look at? Then, perhaps an encrypted string is posted to the API based on the key that is stored in android key store by the app at the time of installation. That way if there is a succesful decryption, it can serve the requests.