java - Protect a DB against rooted devices -

-

imagine have game, need save data every user level, highscore, gold,...
if saved of these locally (on user´s device) aren´t safe , modified user rooted device , bit of skill. (as discussed here)

so need put them on database on server - i´d connect webservice , json.

but realized isn´t safer: if can apk, can decompile it, code used post highscore, , either edit post 1,234,567 (and compile again) or extract , post highscore.

in case of highscore, it´s not big problem - this, it´s possible get/post that´s used in app.

how can protect app/database against this?

my ideas:

  1. encrypt post: can´t work, encryption happens on device
  2. encrypt post seed db: "hacker" can seed aswell, not safer
  3. generate key every connection: same first

in 1 sentence: long "hacker" can mirror behaviour of app, there way of ensuring connection db opened app , not else?

you need change approach this. if don't want user change data, don't put on device. server needs master of data in example give. use local database cache use display, sync , validate against server when can. way doesn't matter if rooted user chooses change devices database. data posted server needs come authenticated user. there no way make sure data isn't being tampered locally on users device.

decompiling app should not expose way user post data server. let user authenticate server , give him expiring ticket/token in return. @ accountmanager, , sample samplesyncadapter. official developer site has great reading well. handling user data

in general, recommend minimizing frequency of asking user credentials—to make phishing attacks more conspicuous, , less successful. instead use authorization token , refresh it.

where possible, username , password should not stored on device. instead, perform initial authentication using username , password supplied user, , use short-lived, service-specific authorization token.

also @ how signing application works make sure "approved" builds of app can communicate server.


Comments

Post a Comment

Popular posts from this blog

javascript - DIV "hiding" when changing dropdown value -

-
this related previous question asked: hide / show multiple divs i have code in place previous question , seems work ok apart when change value in dropdown "after" ticket selection made. i have number of javascrpts in place wondering if there clash somewhere? first bit of code in head of document. <head> <script type="text/javascript"> $(function() { $('.cat_dropdown').change(function() { $('#paymethod').toggle($(this).val() >= 2); }); }); </script> <script type="text/javascript"> $(document).ready(function () { $(".paymentmethod").click(function () { $(".paymentinfo").hide(); switch ($(this).val()) { case "credit card authorisation": $("#pay0").show("slow"); break;
Read more

Does Firefox offer AppleScript support to get URL of windows? -

-
i trying write applescript that, among other things, gets url of every open webpage in firefox. in safari (and chrome), done simply: tell application "safari" return url of every tab in every window however, seems me firefox offers no real applescript support, such getting url of tab or window. when google terms "firefox" , "applescript" together, firefox bug requests asking applescript support restored, last updated in 2010 or 2011 (like this , this ). am right in thinking, then, firefox no longer offers proper applescript support? realize there semi-workarounds, such simulating key-commands in applescript, aren't practical purposes. to see of applescript commands firefox responds to, launch applescript editor, select menu file > open dictionary... , , choose firefox application. you'll find you're expecting: firefox doesn't offer useful applescript commands.
Read more

android - How to install packaged app on Firefox for mobile? -

-
how test-install packaged (zip) app on fennec? device: physical android phone or android emulator, don't care. install mozilla-apk-cli using npm: npm install -g mozilla-apk-cli use generate "debuggable" apk app either source directory or url mini-manifest: mozilla-apk-cli /path/to/source/dir/ arbitrary-name.apk mozilla-apk-cli http://example.com/path/to/mini/manifest.webapp arbitrary-name.apk (context-click > inspect element on "free" button in marketplace discover mini-manifest url app in marketplace.) install apk on android device: adb install -r arbitrary-name.apk launch app on device. notification area notification port remote debugger server listening on. forward port on desktop, f.e. if port 12345: adb forward tcp:12345 tcp:12345 go web developer > connect… in firefox on desktop , connect localhost @ forwarded port. commence debugging! notes: use nightly builds of fennec best experience. bug 929382 tracks
Read more