Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
RexOmni5458yAs if any competent cracker didn't use a VM and/or was connected to the internet when they crack something.
Great way to scare off script kiddies though. -
@CozyPlanes shows the dialog if the signature changed (the app has been decompiled, modified, and recompiled)
-
You know this would be a perfect cheating counter measure for games but make it reset progress each time
-
@jckimble hmmm. They could do it in say bf4 and bf1. Because those games have loads of h4ck3rs lol
-
Kimmax109878yLol.
1. Decompile
2. find the IsThiAppHackzed() function
3. insert return false; at the top
4. ???
5. Profit
Smali all the way -
m93mark2758y@jckimble Actually someone did something like that on an old Nintendo console: if the game was not original you could play until the last boss but before killing him the console was force-rebooted and all the saves deleted. Maybe the game is earth bound or something like that.
-
@ChachiKlaus @m93mark damn and i was thinking about downloading it and playing it again but i guess I'll just have to find another powercord. Earthbound is the game where you kill stuff with a yoyo and have to put in that code right? I think that's what its called but i haven't looked at it in years
-
@basanth get the signature of the app and check if it's yours. I did the check in one of my mods, line 402 https://github.com/BrianValente/...
The if code was deleted, but the code is understandable.
You need your own hash. -
@BrianValente thats the quick way but can be beat. Combine that with an apk hash and it would be unbeatable but you would need an external server to hold your production apk hashes with no device cache so somebody couldn't just insert their hash into the devices database. But if you were to do this make sure you have an automated deployment system in place cause if you release an apk and forget to add its hash to your external database you're going to have alot of pissed off users
-
@jckimble it's the hash of the signature, not of the APK. And there's no way to secure an Android app, there's always a way to bypass checks. I did it a lot of time with a lot of apps (I was a modder, not cracker), and it's easy.
Android developers listen carefully:
The only way to secure an app from modding/cracking is using Google authentication. Google Play Services checks if the signature is valid to log in. It's fairly simple, when the apps starts for the first time use the API to use the Google account logged on the device. It will give you an auth token. Everytime you want to connect to your server send the token too, and check in your server if the token is valid using the Google API. Also set an short expiry time (cracker can just extract your token with Xposed or shared prefs and replace it in the decompiled app), or check if it's being used by multiple devices and/or multiple IPs. -
@BrianValente I'm saying do a hash of your signed key and of the apk while it wouldn't be impossible to crack the apk it would be damn hard to do as long as you use proguard and have a good release cycle
-
@jckimble WhatsApp has both, and I mainly modded their app. They combine the results of some checks like png logo checksum (because most people change it), signature, unique code per release (maybe the apk hash), and more. I just simple extract the result of that code with an Xposed module (taking the result of the method) and replacing it on the modified app. Simple as that. Android is insecure for developers.
Edit: you can see the source code of my modification here, if you're interested https://github.com/BrianValente/... -
@BrianValente a unique code isn't what i mean by apk hash what im proposing is have an internet check that sends the apk hash to a server that responds either original or modded. While this combined with the signature check can be pulled out and recompiled if you use proguard it would become alot harder to crack and if you have a release every 2 or so weeks the value of cracking the apk becomes very little cause the cracked apk would only be current for a week and a half
-
@jckimble if your original app sends it's hash I can modify it to send whatever I want, even your hash. And there's no problem if you update your app every week.
-
@jckimble oh, WhatsApp uses a very good configuration of Proguard too, and it's easy to modify. Every class and method has a different name each release. But the code inside a method doesn't change. I can search the code with some regex in the entire project, and I always find it.
-
@BrianValente yes and your modded version wouldn't have the same updates and at the same time you would have to get the hash from a newer apk. But i do see your point but most crackers wouldn't think there was 2-3 traps especially if you made subtle enough where they wouldn't show on a quick test
Related Rants
I'll start implementing this in my apps too.
undefined
hack
apktool
android
mod