How to secure android encrypted deviceid while transmitting to the server
I am building an android app which needs to communicate with the server, validation will be done on the server based on mobile deviceid and after validation, we load some URL in webview (as content is HTML).
But Hackers can decompile and modify/change the code for fetching the deviceid and hardcode his mobile "encrypted deviceid" (once he purchases the app and roots the mobile). Now he can recompile and upload the modified apk copy on the internet.
The main threat is, we will get the proper request and properly encrypted deviceid but will not be able to identify whether this request is coming from a genuine mobile device or other mobile devices those downloaded the hacked/mod copy.
By this, our content will be available to the non-subscribed users also. I have read about the articles and come to conclusions that:
1) HTTPS SSL requests can be tracked and values can be impersonated in between.
2) Progard can also be hacked after decompilation. Also, I know hacking is not impossible.
3) Storing encryption keys on device is also bad.
4) We can not afford dexgaurd for now :)
What to do in this situation? Please help.
android security asked Nov 13 '18 at 17:42
fooltocodefooltocode
213
add a comment |
I am building an android app which needs to communicate with the server, validation will be done on the server based on mobile deviceid and after validation, we load some URL in webview (as content is HTML).
But Hackers can decompile and modify/change the code for fetching the deviceid and hardcode his mobile "encrypted deviceid" (once he purchases the app and roots the mobile). Now he can recompile and upload the modified apk copy on the internet.
The main threat is, we will get the proper request and properly encrypted deviceid but will not be able to identify whether this request is coming from a genuine mobile device or other mobile devices those downloaded the hacked/mod copy.
By this, our content will be available to the non-subscribed users also. I have read about the articles and come to conclusions that:
1) HTTPS SSL requests can be tracked and values can be impersonated in between.
2) Progard can also be hacked after decompilation. Also, I know hacking is not impossible.
3) Storing encryption keys on device is also bad.
4) We can not afford dexgaurd for now :)
What to do in this situation? Please help.
android security asked Nov 13 '18 at 17:42
fooltocodefooltocode
213
add a comment |
I am building an android app which needs to communicate with the server, validation will be done on the server based on mobile deviceid and after validation, we load some URL in webview (as content is HTML).
But Hackers can decompile and modify/change the code for fetching the deviceid and hardcode his mobile "encrypted deviceid" (once he purchases the app and roots the mobile). Now he can recompile and upload the modified apk copy on the internet.
The main threat is, we will get the proper request and properly encrypted deviceid but will not be able to identify whether this request is coming from a genuine mobile device or other mobile devices those downloaded the hacked/mod copy.
By this, our content will be available to the non-subscribed users also. I have read about the articles and come to conclusions that:
1) HTTPS SSL requests can be tracked and values can be impersonated in between.
2) Progard can also be hacked after decompilation. Also, I know hacking is not impossible.
3) Storing encryption keys on device is also bad.
4) We can not afford dexgaurd for now :)
What to do in this situation? Please help.
android security asked Nov 13 '18 at 17:42
fooltocodefooltocode
213
I am building an android app which needs to communicate with the server, validation will be done on the server based on mobile deviceid and after validation, we load some URL in webview (as content is HTML).
But Hackers can decompile and modify/change the code for fetching the deviceid and hardcode his mobile "encrypted deviceid" (once he purchases the app and roots the mobile). Now he can recompile and upload the modified apk copy on the internet.
The main threat is, we will get the proper request and properly encrypted deviceid but will not be able to identify whether this request is coming from a genuine mobile device or other mobile devices those downloaded the hacked/mod copy.
By this, our content will be available to the non-subscribed users also. I have read about the articles and come to conclusions that:
1) HTTPS SSL requests can be tracked and values can be impersonated in between.
2) Progard can also be hacked after decompilation. Also, I know hacking is not impossible.
3) Storing encryption keys on device is also bad.
4) We can not afford dexgaurd for now :)
What to do in this situation? Please help.
android security android security asked Nov 13 '18 at 17:42
fooltocodefooltocode
213
asked Nov 13 '18 at 17:42
fooltocodefooltocode
213
asked Nov 13 '18 at 17:42
fooltocodefooltocode
213
asked Nov 13 '18 at 17:42
fooltocodefooltocode
213
asked Nov 13 '18 at 17:42
fooltocodefooltocode
213
213
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53286717%2fhow-to-secure-android-encrypted-deviceid-while-transmitting-to-the-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53286717%2fhow-to-secure-android-encrypted-deviceid-while-transmitting-to-the-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
