b.ben b.ben - 1 month ago 5
Android Question

How can we detect modify version of code accessing to server?

From this. We can't prevent reversing engineer.
But how do we detect if app have modified and trying to access our server?
Especially in iOS and Android.

Answer

Something we have used with success for a while now is the following :

  1. During the compile phase, make MD5's of the DLL's & Executable and save them to a place the server can access.
  2. Before the client connects to the server, have it compute the MD5's as well
  3. OnConnect, send the MD5's to the server and have the server validate them

Since the correct MD5's should be a secret to the server, you will catch early attempts made to modify the code, and flag those accounts for further review. But even then an above-amature level dev will figure this out and just send the MD5's you are expecting.

It's not fool proof, but i honestly believe nothing is, all you can do is complicate it as much as possible, this does complicate things a little bit since the MD5's will change every time you publish an update, you could even hash the MD5 with the connectionID, which would make each connection's hash it sends to the server unique.

Using this approach will make it impossible to disabled/remove the checks, because the server always expects an MD5/Hash to be sent.

using (var md5 = MD5.Create())
{
    using (var stream = File.OpenRead("path-to-your.file"))
    {
        return md5.ComputeHash(stream); // returns the MD5 byte[]
    }
}

As the post you linked to said very well : You basically can't protect your application from being modified. And any protection you put in there can be disabled/removed, You can do different tricks to make hacking harder though.

Comments