I'm in a big trouble. I get this popup when I want to run a video player on my page. I've google a lot and the reason should be the self signed certificate. I've never bought any ceritificate, or never installed. I've just read not all certificate is trusted to solve this, but I'm looking for the cheepest one, that can solve this, and I can use again this library without any popups.
http://i.stack.imgur.com/trhGB.png
The other questions is what should I do with the certificate? Where to put it, or how to insert to the site?
Thanks for the reply
Related
I am installing security software/hardware into a couple different school districts. The application is at it's final stage, however I will need to send updates to users periodically. For example, a general password will be changed for the application every 6 months.
Installing an .apk is considered an "update" after the initial application is installed, correct?
I just have a feeling that there should be some easy way of doing this. I don't really want to give people an .apk. Someone could get smart and tear it apart to find the contents. That, and some others might not understand how to install files on their phone.
What are your ideas? Maybe a web link a user can go to that starts the install for them?
You have multiple misconceptions how updating, APKs and keeping keys secure work.
You have to host your APKs somewhere. Github releases is a pretty common way (but slow), but you could also use google drive, dropbox or your own server.
Your app has to fetch the server regularly and check if a new APK is available (pull-based). Second option is to use push notification in some kind e.g. FCM (push-based). Then you download the APK and let the user install it. Your app cannot start a installation by itself, it has to be done by the user.
But you can redirect the user to the installation menu with that APK, so he just has to click "Install". "Install from unknown sources" has to be enabled for that, if not the user will get an information about that from the OS with a way to enable.
There are apps like "APK extractor" which get you the APKs from google play without root, so there's nothing wrong about giving out the APK. Your APK should never contain secure keys which the user isn't allowed to see. It's easy to reverse engineer those keys, it's just a matter of time.
Before publishing in the play store my google sign was working fine. I saw some questions here in stackoverflow, but none of them answered my question. I don't know why the login is not working anymore. (I'm not using firebase).
I did all the steps to make the google sign work, and it was working before I published. Anyone knows what is happening? What can I do?
This is due to different SHA1 keys for debug and release version.
The thing is that for google sign in you must add SHA1 key in your google account which you can get from programming or from command prompt.
SHA1 key is different for signed apk. So you have two SHA1, one each for debug and release version. The SHA1 for release version can be obtained from keystore file.
if you want to read more about this you can check this link. It is very well explained there.
As per #Jan Lovšin stated, maybe you're using same .keystore for your debug and release APKs. Be noted that you need to create two key store - debug.keystore(for debug) and release.keystore (for publish application). You may follow this thread for detailed explanation. You may also check on this related SO question. Hope this helps!
Recently my game has been hacked and one user submitted an impossible score to the server. The score was submitted with a verified checksum, and correct data.
I'm convinced that the user must have reverse engineered my APK file to find the POST request.
Now I wonder what would be a good way to prevent this from happening again and I thought about verifying the SHA1 signature of the app. Maybe this way I can make sure that the app is signed by me, and is not a reverse engineered and changed version of the app.
Would this be possible? Or would there be a better solution to solve this?
I am using LibGDX by the way.
First of all, you really have to obfuscate your code. You can find more information about ProGuard and code obfuscation here.
Second of all, you can use GoogleAuthUtil available in Google Play Services, which is available for devices running Android 2.2 or higher.
GoogleAuthUtil does exactly what you need:
Your client server calls go to Google via a HTTPS request, Google checks whether or not the call is made by an app signed with your release certificate, and then it sends the request to your server.
You can find official tutorials about how to implement this here and official documentation here.
Cheers!
1) Use code obfuscation for ex. Proguard. This kind of tools available not only for Java.
But be careful with that - obfuscated code may work slowly or contain additional bugs.
2) Add App Licencing check (this will check app signature with Google Play):
Watch this video with attention:
https://www.youtube.com/watch?v=TnSNCXR9fbY
As I remember he mention technics used at runtime to verify your app not hacked or modified (zip check, etc).
3) Make sure your app/server use secure connection (SSL/TLS) only with MODERN cipher suites. This will mitigate downgrade attacks.
You can use this generator to build config with MODERN cipher suites for your server:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Also you can use certificate pining on client side - this will mitigate authority attack.
Do not use plain HTTP connection.
4) Use some kind of request signing (like Amazon AWS does)
You can get core idea from their docs.
http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
Also this article should be helpful.
5) Prohibit usage of your app on ROOT'ed devices by adding run time check. Because of on rooted phone it's easier to hack or analyze your app.
6) You can decrease fraud by adding some ban system to your online game - if somebody hack your app and send wrong data to your server => add this user to ban list on server side (by IP or by user ID, etc). Probably add users to this list temporary (ex 24 hr, 7 days)
7) + if you are using Json/XML as data formats for network layer try to use binary format like Protocol Buffers. Binary serialization formats more efficient and hard to reverse engineer.
If you want to verify the signature of your app without the possibility that this is cracked too, you would have to upload the whole apk and make the check on a server. This is not a practicable solution.
The only secure android app is a pure terminal app, which means you'd have to do all computing on a server. Most of the time this won't be possible because of latency.
That's why we Android developers have to live with this: an app is not 100% secure.
But you can get close to it.
You might want to read Security with HTTPS and SSL guide for securing your communication.
Also you'll want to ensure your client is hard to crack: android app piracy prevention and Combating Android App Piracy: Xposed
In your case you'll also want to implement server-side request validation:
If you have a game with a server side, users probably have an account. If a user sends a clearly impossible score, automatically disregard the request and ban the user (and his ip). (But also have in mind that this should never happen to a valid request, otherwise users might get angry and stop playing.)
You can obfuscate your code better and use some very obfuscated secret to sign your requests. With that you can increase security.
But if all your game run in client it can't be completely secure. Because it doesn't matter what you use to sign, if you do it in client it means you have the secret or private key in client and then it can be hacked.
To make it more secure you need to involve some game logic in server and then control in that logic that the user isn't cheating.
Verifying the integrity of your app won't be enough, since the request can be easily faked outside the app or modified in memory on the fly, using a rooted android environment. Even more, you cannot totally avoid it.
This is a problem shared by all applications running in a machine out of your control (all client applications). You can't never trust the data coming from them.
As I can see it, you have several choices:
Obfuscate the code and make the app more difficult to be reverse-engineered. Notice that this do not solve the problem, but minimizes it.
Move processing to the server. The more game-play is controlled by the server, the less vulnerable you app would be to this malicious behavior.
Automatically detect impossible scores and close their accounts
Cheers,
I am trying to implement the APK Expansion Downloader Library into my application, but I am struggling to get past the LVL verification check.
Everytime I run up the application, I get a "Signature verification failed" message back from the LicenseValidator class. The application is signed in release mode, with a proper Keystore.
I have checked maybe 10+ times that the PUBLIC_KEY I am using inside of the application is the same as on the developer account, yet its still not working. I have also uploaded the application to the Play Store, with the expansion file (correctly named), and even added in my account as a Test account on the developer console. I have also tried adding the publisher account onto my device, and its still not working.
I do not know what to do next, I need this to work and cannot find any help on the internet as to how to fix this.
Thanks
Adam
you had several versions of file extansion? Because I had the same problem as the api sent me the name of an old file ... as a workaround in the verification code I just replaces the version number ... It's not terrible, but the bug does not come from me ...
Fixed. Via "Manage apps" I stopped the Google Play Store app, cleared its data (not the cache, which was zero bytes), then restarted my licensed app - licensing now works.
If I lost the original certificate.keystore file created with keytool, but have the exact terminal output and all the stuff I entered to make it, is that enough to be able to create a new certificate that the android market publish site will accept without saying that the new apk must be signed with the same certificate?
This is a MAJOR flaw in the google android market. unlike apple where you can request your certificate with your apple developer account, google has no such service yet. If you loose your certificate, thats it. You will be unable to publish an updated version of your app for people to download.
Best thing to do is let your userbase know there is a new version of the app out with changes that made it impossible to update normally, and they need to uninstall the old version and download the new version, unpublish the old version from the app store and publish the new one. (its a bit of a white lie, but people wont cry too much, and its a lot better than saying you lost the certificate, most users wont even know what you are on about)
Then keep your certificate duplicated for backups and keep it SAFE!!! Email it to yourself, put it on a unnamed flashdrive (incase it gets stolen people wont know what the certificates for). Gmail is good because its easy to retrieve mail from months ago with keywords. Burn it on a CD and put it in your medicine cabinet if you have to.
Hope this helps, good luck
I dont think the generated certificate and the private key will be the same.