I hereby claim:
- I am scottyab on github.
- I am scottyab (https://keybase.io/scottyab) on keybase.
- I have a public key whose fingerprint is 88AE 289F 03AE 3684 94BA B89F A056 9F94 AD10 76CD
To claim this, I am signing this object:
Scott Alexander-Bown scottyab
scottyab
/ IntentExtraEample.java
Created
May 14, 2014 16:23
When using Intent extras, pass an Id rather than the object as Intent extras 'could' be intercepted and read be a malicious app.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //bad passing the whole paracable object | |
| public static Intent getStartingIntent(Context context, | |
| User user) { | |
| Intent i = new Intent(context, UserDetailsActivity.class); | |
| i.putExtra(EXTRA_USER, user); | |
| return i; | |
| } | |
| //better to pass just the ID to lookup the user details | |
| public static Intent getStartingIntent(Context context, |
scottyab
/ SafePendingIntent.java
Created
May 14, 2014 16:10
Creating an explicit pending intent is safer than implicit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //explicit (to MyService) | |
| Intent intent = new Intent(context, MyService.class); | |
| PendingIntent pi = PendingIntent.getService(getApplicationContext(), 0, intent, PendingIntent.FLAG_UPDATE_CURRENT); | |
| //implicit | |
| Intent intent = new Intent("com.my.app.action") | |
| PendingIntent pi = PendingIntent.getService(getApplicationContext(), 0, intent, PendingIntent.FLAG_UPDATE_CURRENT); |
scottyab
/ SaferWebViewClient.java
Created
May 14, 2014 15:36
Make Webview safer - some of the code based on recommendations in article https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Implements whitelisting on host name | |
| */ | |
| public class SaferWebViewClient extends WebViewClient { | |
| private String[] hostsWhitelist; | |
| public SaferWebViewClient(String hostsWhitelsit){ | |
| super(); | |
| this.hostsWhitelist = hostsWhitelist; |
scottyab
/ Installation.java
Last active
August 29, 2015 14:01
Code from http://android-developers.blogspot.co.uk/2011/03/identifying-app-installations.html -- For the vast majority of applications, the requirement is to identify a particular installation, not a physical device. Fortunately, doing so is straightforward. There are many good reasons for avoiding the attempt to identify a particular device. Fo…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.vf.tools | |
| import java.io.File; | |
| import java.io.FileOutputStream; | |
| import java.io.IOException; | |
| import java.io.RandomAccessFile; | |
| import java.util.UUID; | |
| import android.content.Context; |
scottyab
/ keybase.md
Created
April 11, 2014 16:02
scottyab
/ QuickInstallScript.sh
Last active
August 29, 2015 13:58
From article http://www.vkalchev.co.uk/content/quickinstallapk/ Spoke to Val and he clarified the Licensed under the Apache License, Version 2.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #Licensed under the Apache License, Version 2.0 (the "License"); | |
| #you may not use this file except in compliance with the License. | |
| #You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 | |
| #Copyright 2013 Valentin Kalchev | |
| #Date: 26/02/2013 | |
| #Target: Mac OS X Terminal + Android ADB + AAPT | |
| sharePackageName="" |
scottyab
/ become-spongy.sh
Created
December 17, 2013 12:01
Script to rename bouncycastle files to be spongycastle. From https://github.com/rtyley/spongycastle/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # no further use for remaining crypto stuff | |
| rm -Rf crypto | |
| # Package rename org.bouncycastle to org.spongycastle | |
| find -name bouncycastle | xargs rename s/bouncycastle/spongycastle/ | |
| find bc* -type f | xargs sed -i s/bouncycastle/spongycastle/g |
scottyab
/ Repository.java
Created
November 7, 2013 09:29
— forked from kdehairy/Repository.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class Repository extends SQLiteOpenHelper { | |
| private static final int VERSION = 1; | |
| private static final String DATABASE_NAME = "data.sqlite"; | |
| private static File DATABASE_FILE; | |
| // This is an indicator if we need to copy the | |
| // database file. | |
| private boolean mInvalidDatabaseFile = false; | |
| private boolean mIsUpgraded = false; | |
| private Context mContext; |
scottyab
/ PRNGFixes.java
Last active
February 6, 2017 02:58
Enforce correct initialisation of Random numbers - call this from Application.onCreate(). Basically copy of the code from the Some SecureRandom Thoughts blog post http://android- * developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.scottyab.encryption; | |
| /* | |
| * This software is provided 'as-is', without any express or implied | |
| * warranty. In no event will Google be held liable for any damages | |
| * arising from the use of this software. | |
| * | |
| * Permission is granted to anyone to use this software for any purpose, | |
| * including commercial applications, and to alter it and redistribute it | |
| * freely, as long as the origin is not misrepresented. |
scottyab
/ SignatureCheck.java
Last active
October 7, 2024 22:46
Simple Android signature check. Please note: This was created in 2013, not actively maintained and may not be compatible with the latest Android versions. It's not particularly difficult for an attacker to decompile an .apk, find this tamper check, replace the APP_SIGNATURE with theirs and rebuild (or use method hooking to return true from `vali…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import android.content.Context; | |
| import android.content.pm.PackageInfo; | |
| import android.content.pm.PackageManager; | |
| import android.content.pm.PackageManager.NameNotFoundException; | |
| import android.content.pm.Signature; | |
| public class TamperCheck { | |
| //we store the hash of the signture for a little more protection | |
| private static final String APP_SIGNATURE = "1038C0E34658923C4192E61B16846"; |