All Questions

Tagged with
894 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
11votes
0answers
894views

KeyAttestation in Android Nougat API 24

I read about the new key attestation API in Android N and wanted to test it but I'm missing some classes. The key attestation is described here: https://developer.android.com/preview/features/key-...
user avatar
8votes
0answers
857views

Keystore getEntry returns NULL on Android 9

cI have encrypted and decrypted a login password which is stored in the Android Keystore. On Android 9, I observed that the app crashes when trying to decrypt the password(I am not able to reproduce ...
user avatar
  • 1,262
8votes
1answer
3kviews

Android M - Keychain like storage for username/password

Here's the workflow from iOS that I'm trying to achieve on Android: User starts app for the first time and Logs in successfully with credentials (sent to API for validation). Prompt shows asking to ...
user avatar
  • 3,131
8votes
1answer
271views

Make one IAP valid for different applications

Until now, I distributed my app on the Play Store with an in-app purchase to disable ads. I am redesigning the whole app and I'd like to split it into two applications: one for mobile devices (like ...
user avatar
  • 4,628
7votes
0answers
83views

Is OTP less authentication possible in Android?

Problem Statement: User X wants to Log In or Signup to App A and App B. Considering:- OS Environment: Android User X, Device D, App A and App B(App A and App B are two different organizations) App A ...
user avatar
7votes
0answers
883views

Storing secret key in KeyStore without the ProtectionParameter

Until now I have used to store my application secrets into the KeyStore with the following code: // creating a instance KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); // ...
user avatar
  • 171
7votes
0answers
1kviews

Handing android app code to another developer: keystore management

I'm a freelance android developer. I have my own keystore file I use to sign the apk files I build for my customers. I give full source code to my customers along with the signed apk files. Most of ...
user avatar
  • 1,250
7votes
1answer
6kviews

Detect screenshot attempts on Android 4.0+

I am developing an Android application that places a high priority on protecting the user's data, to the point of storing nothing in persistent memory on the local device. To further protect user ...
user avatar
7votes
1answer
866views

On Google App Engine, can I relate a Google OAuth 2 Token and a SACSID token I got using Android's AccountManager?

I am writing a Google App Engine application along with a CLI client, an Android client and a Javascript client. The purpose of this application is to allow one to control an Android phone on which ...
user avatar
  • 359
7votes
1answer
2kviews

How can I manage in-app billing transactions on an external server securely?

I'm attempting to implement a system for upgrading/unlocking various features of my app using "managed" purchases with in-app billing, and I'm getting bogged down by the lack of in-depth documentation ...
user avatar
  • 506
7votes
2answers
1kviews

How to ask Permission in OPPO again if user deny permision in Oppo lollipop version?

I am facing problem in Oppo mobile - Lollipop version. I need write contact permission in my app. but in oppo lollipop it ask oppo's own security permission. If I deny that permission than application ...
user avatar
6votes
0answers
298views

EncryptedSharedPreferences without MasterKeys.getOrCreate()

I found out that the default way of using EncryptedSharedPreferences is to create the key with MasterKeys for it. However, when I replace val masterKeyAlias = MasterKeys.getOrCreate() with a sample ...
user avatar
  • 73
6votes
0answers
1kviews

Android: Detect whether device can be unlocked with fingerprint

I have an app that uses fingerprint-authentication. As an extra security-measure I'd like to detect whether the fingerprint is used to unlock the device. I tried retrieving the lock-mode in the ...
user avatar
  • 3,965
6votes
0answers
2kviews

Android RSA key length

I would like to generate and store securely a 4096 bit RSA key pair on an Android device running API 18+ (4.3). The documentation states the AndroidKeyStore supports 4096 bit keys on API 18. However ...
user avatar
6votes
0answers
2kviews

Android APK tamper detection from NDK/JNI

Problem I have some keys which I want to keep it safe. At present, a native shared library generates them on demand. This shared library is used by my apk to get keys. The problem with the current ...
user avatar
  • 1,250
6votes
0answers
576views

How does Google Maps for Android v2 API key verification work?

I am wondering how does Google Maps Android v2 API key verification work? (I know how to request key and use it in an Android project.) I am just interested in the method how it checks the app ...
user avatar
  • 2,203
5votes
0answers
181views

Getting issue while loading image in push-notification Service :Unable to resolve host : No address associated with hostname

We are getting images in the notification payload. In notification payload we got AWS s3 URL like this: https://s3-ap-southeast-1.amazonaws.com/mybucketname/images/users/ce4f4bdf-3458-4fac-8faa-...
user avatar
5votes
2answers
318views

How to Safely Zero and release all memory pages used by an Android App?

I'm a software engineer building an Android App that will be used by a government agency. One requirement in our contract is that the app must be FIPS 140 compliant. https://en.wikipedia.org/wiki/...
user avatar
  • 200
5votes
0answers
267views

How can I lock only device administrators setting

I am working on security application. User can't uninstall the application without applying a correct password. I am on device administrator permission in app. But when user try to install app then he/...
user avatar
5votes
0answers
785views

I want to store users' profile images in S3 and display them client side - what is the best practice for exposing S3 objects to mobile client?

So I have an Android chat application where users can create profile photos. These photos are sent to my Node JS backend where I upload them to my AWS S3 bucket. I store the key to their image in my ...
user avatar
5votes
0answers
1kviews

RSA_padding_check_PKCS1_type_1:block type is not 01

When do decrypting on Android I got the error : javax.crypto.BadPaddingException: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 My code are as follows : cipher = ...
user avatar
  • 53
5votes
0answers
209views

Using Android Fingerprint API to check if a new fingerprint has been added

I am doing some testing of an application that uses android fingerprint authentication. This app only allows fingerprint authentication, but it is possible to add a new fingerprint using the lock ...
user avatar
5votes
0answers
2kviews

KeyguardManager.createConfirmDeviceCredentialIntent Before API Level 21 equivalent?

I would like to use the KeyguardManager.createConfirmDeviceCredentialIntent To allow the OS to verify the identity before allowing the user of my app to access secure information. This works very ...
user avatar
  • 2,341
5votes
1answer
2kviews

Facebook mobile login and server-side validation

I am working on a mobile app that has an integrated Facebook login (using the fb android sdk). I also have a server that has some rest endpoints on it that I would like to secure. I have been looking ...
user avatar
  • 3,320
5votes
2answers
1kviews

How to avoid showing consent screen in our own native apps when external authentication?

Background We have developed a web application featuring a rest-api using oauth2/oidc and support for third party apps We have developed our own native apps for android and ios. Currently they ...
user avatar
4votes
0answers
3kviews

How to detect a screen overlay on android

Is there any way to detect if a screen overlay is present over my app on android? Or at least if there is a way to prevent screen overlays over my app? I found an open source app that is designed to ...
user avatar
4votes
2answers
1kviews

In-app billing developer payload argument?

I've Googled this concept six ways from Sunday and I feel like I can't find a straight answer on it. The official Google docs say it isn't meant for security, but then a bunch of answers I find seem ...
user avatar
4votes
0answers
203views

How to add Lusca Security for Express API REST with Angular and Android Native app like Clients?

I don't sure what is the best option to add a CSRF Token for my form's in the website and still using the same endpoints for my Android App :/ I can create new endpoints for android but i think that ...
user avatar
  • 239
4votes
0answers
2kviews

How to disable kernel module signing in Android by adb

Kernel module signing protects the kernel from all the modules that are loaded into the kernel during runtime. In Android, all the modules under /system/lib/modules must be checked before load, the ...
user avatar
  • 282
4votes
1answer
1kviews

Android device administrator - Disable camera not applied in (Multi-user) Guest account

I have implemented a device administrator application that disables the camera, among other things, based on certain requisites (server side logic) etc. devicePolicyManager = (DevicePolicyManager)...
user avatar
4votes
0answers
621views

Building BoringSSL and Conscrypt and bundling with Android apk

Im sure I saw an official guide on this on the conscrypt project site but I cannot find this at all now. Im wondering to the possibility of building BoringSSL locally and making it available via a ...
user avatar
  • 17.9k
4votes
0answers
61views

May my Android application imitate system Intent?

When an Android device receives a message, a broadcast intent 'android.provider.Telephony.SMS_RECEIVED' is fired. The intent also includes the SMS that is sent. Does Android have any defence against ...
user avatar
4votes
0answers
2kviews

Android SSLKEYLOGFILE

it's the first time I post here. I have a project at my university about android. I would like to be able to store SSLKeys in a file in my android like in Windows SSLKEYLOGFILE. As you can find that ...
user avatar
4votes
1answer
626views

Is it possible to prevent the debugger from attaching on Android?

I'm doing some reverse engineering protection on Android and I want to prevent debugging of the app. I know how to detect when a debugger is attached but is there a way to block it from attaching in ...
user avatar
  • 1,377
4votes
0answers
346views

Hide internal API and methods in aar

Let' say i have an requirement . i have to give my application to the client. so i created an AAR and gave it to them ,so they can integrate this library to their own application. However, how can i ...
user avatar
  • 2,523
4votes
2answers
1kviews

LibGDX : Android Game Security

I am developing game using LibGDX framework . I want to know how to make the game more secure . For example a user with rooted android device can change save .xml file so the game will be hacked , or ...
user avatar
4votes
0answers
417views

Self-signed certificate for Android Application

I am developing an android application which interacts with my server. For including the SSL layer, I created a self-signed certificate for my server. So, at present when i access my server through a ...
user avatar
  • 8,881
4votes
0answers
337views

Request custom permission with protection level=signature with a mismatch signature?

Let's say I have a server app that declares a custom permission called com.testpackage.mypermission, which is needed to start ServerActivity <?xml version="1.0" encoding="utf-8"?> <manifest ...
user avatar
  • 41
4votes
0answers
570views

List of trusted CA certificates programmatically in Android

I know the user can view the trusted CA certificates installed on the device looking into: settings > security > trusted CA certificates. Do you if (and how) from inside my application I can get the ...
user avatar
4votes
2answers
4kviews

Authenticating mobile device

I'm developing client-server application, where client applications will run on mobile devices (Android, iOS) and will communicate with the server via HTTP protocol. Mobile applications will be ...
user avatar
  • 423
4votes
1answer
172views

Verifying that message came from a specific app/end point

I'm trying to build a secure system for transmitting data from a client Android app to a web server running PHP. What I want to do is ensure that the system is cryptographically secure in such a way ...
user avatar
4votes
1answer
490views

In-App Billing v3 reliability flaw

First, thanks Google for new IAB API which seems to be much easier in use comparison to previous one. Also new example is a great leap forward comparison to old one, so far only one crash at ...
user avatar
  • 3,068
4votes
2answers
465views

Prevent device lock in android while my activity is running AND device is connected to charger

I've got a night clock app and I want to disable the keyguard for the device while the app is running AND the device is on a charger. The idea is that if you are on a charger and this app is running ...
user avatar
  • 478
4votes
1answer
2kviews

How to add PBKDF2WithHmacSHA1 for android api 8 (Froyo)

i need some help. I am writing app and need to use "PBKDF2WithHmacSHA1" algorithm (cannot change server side). but that don't work in android (not supported), but then i create android-maven project ...
user avatar
  • 53
4votes
1answer
769views

Android : Security Concern :classes.dex Publically exposed WebService Name is visible in the file

I am not too sure about how secure a apk file is and therefore this question. We have a application which gets the result from a publicly exposed webservice. However, when we tried to open the ...
user avatar
  • 367
3votes
0answers
49views

How to check if user has unlocked device with the biometrics or PIN/Password?

I am trying to figure out if user has unlocked the device with the traditional PIN/Password method or with the biometrics like Face unlock or Fingerprint. I tried some answers out there like https://...
user avatar
  • 790
3votes
1answer
29views

Securely connect Bluetooth device to Android

I am developing a device that needs to communicate securely to an Android app via Bluetooth. I need that only a predefined phone to be able to communicate with my device for security reason. And I ...
user avatar
  • 2,004
3votes
0answers
637views

FLAG_WINDOW_IS_OBSCURED not working on newer android

I have been implementing tapjacking defence in android app, but I found out that flag FLAG_WINDOW_IS_OBSCURED is set on android 7.0, but not on android 10.0 while window is obscured by another ...
user avatar
3votes
1answer
541views

Start BLUETOOTH_SETTINGS Action Returns SecurityException (Requires BLUETOOTH_ADMIN Permission)

I'm trying to get to the Bluetooth Settings page on Android with this ADB command. adb shell am start -a android.settings.BLUETOOTH_SETTINGS However, I get a SecurityException for the response ...
user avatar
3votes
0answers
578views

How to bypass SSL Pinning of an Android App

I want to bypass the SSL pinning of an Android app using the Frida Server method. I have followed the whole process described in this (https://blog.it-securityguard.com/the-stony-path-of-android-%F0%...
user avatar
  • 653

15 30 50 per page
1
2 3 4 5
18