<kamathajith@gmail.com> wrote:
> We are integrating with market to provide inapp billing on our app.
> The implementation guide says for additional security, we can use a
> server to do the key verification process. This is so we dont bake the
> apk with the public key I suppose.
>
> Having a server side presence for us for right now is overkill. So,
> outside of the proguard obfuscation (which we are doing), are there
> any recommended security techniques that we can incorporate to make
> the apk tighter ?
>
If you don't need to authenticate people who bought an item using IAB,
and let them download additional contents, a server might be overkill.
You can split the key and scramble it somehow so it's not an obvious
string resource if you are worried about people replacing it. However,
if someone wants to crack your app, they are far more likely to modify
the bytecode to bypass any checking routines you have, rather than
trying to replace the key and fool signature checking.
The Google IO 'Evading Pirates and Stopping Vampires' presentation
has some tips on further obfuscation and integrity checking. It boils
down to: use native code and server-side code. You decide how far
you need to go.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
No comments:
Post a Comment