Home/ Questions/Q 9250625
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T10:29:14+00:00

In my folder assets/data , there are a lot of XML files containing static

  • 0

In my folder assets/data, there are a lot of XML files containing static data for my app.

It’s really easy for someone to retrieve an APK, modify a part of it and install on a device.

I would like to prevent users to alter my static data by checking the integrity of my assets/data folder.

Initially I was considering to use MD5 checksum, but it will probably be too slow for the amount of files I gonna have (50-100).

Do you have any suggestion?

Edit:

This app is a game with an XML file describing each level.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ll describe how you can effectively protect against modification and repackaging, not how you can protect the assets on their own, although you could ultimately apply the same technique to encrypting them. It’s imperfect, but you can make modification significantly more difficult.

    You sign the application with a certificate. Although they can remove yours, noone else can produce the same certificate when putting it back together. You can therefore check the signature of the application at runtime, to make sure it’s what you expect.

    Here’s some cheap and nasty code to do this:

       PackageManager pm = context.getPackageManager();

   PackageInfo info = pm.getPackageInfo( context.getPackageName(), PackageManager.GET_SIGNATURES );

   if ( info.signatures[ 0 ].toCharsString().equals( YOUR_SIGNATURE ) )
   {
     //signature is OK
   }

    where YOUR_SIGNATURE is a constant, obtained from running this code on the signed app.

    Now, there are two remaining problems that you have already hinted at:

    1. how can you stop someone just modifying the constant in the source code to match their certificate, then repackaging and re-signing the app?

    2. how can you stop someone finding the check method and removing it?

    Answer to both: you can’t, not absolutely, but you can do a pretty good job through obfuscation. The free Proguard, but more usefully the commercial Dexguard, are tools for doing this. You may baulk at the current €350 cost of the latter; on the other hand, I have tried to reverse engineer apps that are protected like this, and unless the stakes were very high, it isn’t worth the trouble.

    To an extent, you could also do the obfuscation for (1) yourself; have the signature ‘constant’ assembled at runtime through some complicated programmatic method that makes it difficult to find and replace.

    (2) is really a software design issue; making it sufficiently complicated or annoying to remove the check. Obfuscation just makes it more difficult to find in the first place.

    As a further note, you might want to look at whether stuff like Google Licensing gives you any protection in this area. I don’t have any experience of it though, so you’re on your own there.

    • 0