Reputation: 20442
Android: storing your webservices symmetric-key in Google Play?
I have been wondering if there is a way to store a symmetric-key your app uses to call your own webservices inside Google Play. Maybe via the new Google Tag Manager now part of the Google Play Services or via some ways of customizing Google Play Licensing to pass some arbitrary string you define. I have never used any of both, so I am asking.
Considering that Google Play is capable of having trusted communication with your genuine app, I have been thinking you could make use of that GooglePlay-to-YourGenuineApp trusted channel for sourcing your genuine app with a symmetric-key to call with your webservices.
I would like to make clear that my aim is not to verify which user is calling my webservices, but only that my webservices are called from my genuine app and not from a cracked one.
You could then periodically change the symmetric-key, both on your server and on Google Play, to make sure that even if an attacker managed somehow to find the key once, he would have to find the new one each time it's changed.
Upvotes: 1
Views: 76
Answers (0)
Related Questions
- Is google-services.json safe from hackers?
- How to secure google API keys
- Android App Security
- Storing keys in Android
- Android Secure Storage
- Storing secure data in android
- Securing secret keys in Android
- Protecting android application
- Secure API Key Android
- Where to store sensitive global information such as API keys in Android application?