天道酬勤,学无止境

android-security

如何在android中安全地保存Oauth访问令牌(How to save Oauth Access token securely in android)

问题 身份验证后我有来自服务器的访问令牌可以说"uyhjjfjfgg567f8fhjkkf"现在我想安全地将它保存在设备中。 我在 android 开发者网站上查看了 Keystore 和 Keychain。 我不清楚它是如何工作的以及我们应该如何从密钥库中检索令牌。 KeyPairGenerator kpg = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); kpg.initialize(new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build()); KeyPair kp = kpg.generateKeyPair(); /* * Load the Android KeyStore instance using the the * "AndroidKeyStore" provider to list out what entries are * currently

2021-12-01 12:30:05    分类:技术分享    android   oauth   access-token   android-security

You are using an unsafe implementation of X509TrustManager

I've an app in Google Play, today I received a mail from Google saying that: Google Play warning: You are using an unsafe implementation of X509TrustManager It says something about the SSL certificate issues and a way to solve the issue. I'm asking this question because of curiosity, Actually what is this warning all about ? I'm not using any network related activities in my app (it's a local database driven app), so why this warning occurred for my app? More Details: My app was built using Appcelerator Titanium and google says this implementation is in ti.modules.titanium.network

2021-11-27 12:30:34    分类:问答    android   appcelerator   appcelerator-titanium   android-security   trustmanager

Caused by: java.security.NoSuchProviderException: no such provider: Crypto - Android N [duplicate]

This question already has answers here: SecureRandom provider "Crypto" unavailable in Android N for deterministially generating a key (3 answers) Closed 5 years ago. Seems like "Crypto" provider has been removed in Android N. My application crashing because of NoSuchProviderException. If I change the provider and Algorithm then it will affect user who are all using the app currently. Any one have a idea? KeyGenerator kGen = KeyGenerator.getInstance(KEY_GENERATOR_ALGORITHM); SecureRandom sr = SecureRandom.getInstance(STR_SHA1PRNG, **CRYPTO**); sr.setSeed(seed); kGen.init(128, sr); SecretKey

2021-11-25 06:18:15    分类:问答    android   cryptography   android-security   android-securityexception

Google Play warning: Your app contains a Cross-App Scripting Vulnerability

Good day all, I got a email from google play regarding Cross-App Scripting Vulnerability in one or more my published apps. I am using WebView in my apps, so they says my app contains webView Cross-App Scripting issue which can allow malicious apps to steal user cookies and other data. And They give what action I am going to take, that is Action required Please follow the steps below to fix the issue with your apps (listed at the end of this email). You can refer to the notice in your Play Console for the deadline to fix this problem. After this deadline, updates to affected apps will be

2021-11-24 10:19:12    分类:问答    android   android-webview   android-security   google-play-console

如何以编程方式获取使用访问权限(How to get Usage Access Permission programmatically)

问题 我的应用程序需要具有使用访问权限才能获取有关用户手机上当前正在运行的应用程序的信息。 在以下链接的帮助下,我能够使用以下代码成功实现它。 使用访问应用程序 这是我的工作代码 public void showDialog() { if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.LOLLIPOP) { @SuppressWarnings("WrongConstant") UsageStatsManager usm = (UsageStatsManager) getSystemService("usagestats"); long time = System.currentTimeMillis(); List<UsageStats> appList = usm.queryUsageStats(UsageStatsManager.INTERVAL_DAILY, time - 1000 * 1000, time); if (appList.size()==0) { AlertDialog alertDialog = new AlertDialog.Builder(this) .setTitle("Usage Access") .setMessage("App will not run

2021-11-21 19:20:29    分类:技术分享    android   android-security   usagestatsmanager

How to save Oauth Access token securely in android

I have access token from the server after authentication lets say "uyhjjfjfgg567f8fhjkkf" now I want to save it in the device securely. I looked in Keystore and Keychain in android developer sites. I dont clearly understand how it works and how we should retrieve the token from the keystore. KeyPairGenerator kpg = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); kpg.initialize(new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build()); KeyPair

2021-11-21 06:50:06    分类:问答    android   oauth   access-token   android-security

What path to put executable to run on Android 29?

My Android app includes a set of executables that are extracted to app directory (/data/data/%package%/) on the first run. It worked just fine if targeted to Android 28 (targetSdkVersion). Since November 2, 2020 it not allowed in Google Play and all the apps must target to 29. So it stopped working with permission exception. What directory should executables be put to now? PS. Some similar apps have the same issue.

2021-11-21 01:24:27    分类:问答    android   executable   android-security

What is the alternate for onReceivedSslError() in Webview?

I am working on app that will connect user with available open WIFIs by providing their landing pages (having login option) in the app. Google is showing alert for using onReceivedSslError() in WebView for loading Wifi's landing page in the app. If I remove this method then link will not work. In order to make it functional I need to add the domain name in the network_security_config.xml file but I do not know which link will be shown by wifi's vendors as it is not in my control. This insist me to use onReceivedSslError() method in Webview. I am showing alert dialog inside onReceivedSslError()

2021-11-21 00:52:15    分类:问答    ssl-certificate   android-webview   android-security   sslerrorhandler

How to get Usage Access Permission programmatically

My app needs to have Usage Access Permission in order to get information about the current running app on user's phone. I am able to successfully implement it using the following code with the help from the following link. Usage Access apps Here is my working code public void showDialog() { if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.LOLLIPOP) { @SuppressWarnings("WrongConstant") UsageStatsManager usm = (UsageStatsManager) getSystemService("usagestats"); long time = System.currentTimeMillis(); List<UsageStats> appList = usm.queryUsageStats(UsageStatsManager.INTERVAL

2021-11-15 15:03:17    分类:问答    android   android-security   usagestatsmanager

Gradle task for classes.dex CRC calculation

I'd like to create a Gradle task that computes the classes.dex CRC, then writes the resulting value into a resource string. This value will be checked at runtime to determine whether the APK has been tampered or not. The problem is that beginning with Gradle plugin 1.4.+ it is not possible to access the dex task anymore. Instead, we should use Transform API. I found very little documentation about Gradle tasks in the Android environment, so I would ask a few questions: What's the Gradle task that deals with the classes.dex file? How should the Transform work with this task? I've seen lots of

2021-11-08 12:02:05    分类:问答    android   android-gradle-plugin   android-security