Reputation: 517
How to identify .apk has been modified on client side
I have an mobile app, which users will be installing on their mobile phone.
I want to make it secure, attacker should not be allowed to modify the .apk file. i have taken care that My app will not work on rooted devices.
server should be able to identify if attacker has modified some code or redirected to external links.
How can i achieve the above scenario ?
Upvotes: 3
Views: 4532
Answers (1)
Reputation: 1007296
How can i achieve the above scenario ?
Delete the APK. Rewrite your app as something that runs purely on the server, using some generic client. A Web app might qualify, if you do not use much in the way of client-side JavaScript.
Another app could detect if your APK has been altered, as the altered APK would not be signed by your signing key. But an app itself cannot detect if it has been altered, as the attacker can remove the detection code.
A server cannot detect if the client has been altered, because all the server knows is what the client sends it. So long as the altered client responds the same as does the original client, the server cannot tell the difference.
For example:
The original client sends
fooas part of its communications to the server. The server rejects any communications that do not containfoo. So, the altered client sendsfoo.The original client receives a unique ID from the server as part of the original communications. The original client saves that unique ID in a file and includes it in further communications to the server. The server rejects any communications that does not contain a valid ID. So, the altered client saves and uses the same ID file.
The server sends a validity challenge to the client, where the client needs to calculate a response based on client APK bytes (e.g., server asks client to send a cryptographically-secure hash of a certain byte range of the APK). The server refuses to work with clients that fail this check. So, the altered client keeps a copy of the original client APK around to use for calculating the response.
And so on.
You can use tools like DexGuard to try to make it difficult for somebody to alter the client.
Upvotes: 7
Related Questions
- How to avoid reverse engineering of an APK file
- Detecting code tampering in Apk
- How to modify a pre-packaged apk file on client-side by user who is using my desktop application?
- Check if package name changed
- Protect Android Application From Moding
- How to find out that application was updated
- How does one verify that an APK has not been tampered with?
- How to prevent reverse engineering of an Android APK file to secure code?
- How to check if the Dalvik Cache was modified
- Android: Verifying the application's integrity on the server side