|
|
|
|
|
|
by Someone1234
4156 days ago
|
|
|
Fair enough. Did you see my point about just hashing log4j.properties's contents? Since I assume you won't be modifying it after you publish as you don't want debugging. As long as you check the hash before you decrypt any XML this should solve your concerns. In order for someone to then abuse the debugging functionality on Santuario they would need to modify your APK which is frankly just as big of a barrier as finding and pulling the private key(s). |
|
|
Its pretty easy to unpack an APK, change log4j stuff to DEBUG, repack, and run vs. unpacking APK, disassemble class files, go through files, find how key is stored, routine for deobfuscation, etc,.