- Content-Encoding:gzip
- Transfer-Encoding:gzip
Amazing discovery of the day: command-line cURL, as of v.7.21.6, recognizes both, while the cURL functions in PHP, as of PHP 5.3.3, only respect the former.
Thursday, December 22, 2016
Encoding? Compression? You tell me...
In HTTP, there are two ways to specify compression of the content:
Tuesday, December 20, 2016
Strikes again
Just a few days after I wrote about the in-app purchase simulator, someone tried it again. Not that they've succeeded; the server-side order signature check caught it. But the device-side check didn't. I'm really wondering how'd they do that.
Here's the first step: I'm going to try reimplementing the signature check by hand, and see if the fake order passes that. I suspect the IAP simulator taps into Java's built-in Signature.verify() method, making it return a hard-coded true. It wouldn't know about my homegrown implementation, obviously.
The signature algorithm that Google Play uses is well known, it's SHA1 with RSA. Normally, I'd be the first one to recommend against building your own crypto primitives, but in this case, it's probably justified, at least as the first step to counteract the fraud. I can probably still use the built-in SHA1, just need to reimplement the RSA portion. The latter is a bunch of BigInteger arithmetic.
Here's the first step: I'm going to try reimplementing the signature check by hand, and see if the fake order passes that. I suspect the IAP simulator taps into Java's built-in Signature.verify() method, making it return a hard-coded true. It wouldn't know about my homegrown implementation, obviously.
The signature algorithm that Google Play uses is well known, it's SHA1 with RSA. Normally, I'd be the first one to recommend against building your own crypto primitives, but in this case, it's probably justified, at least as the first step to counteract the fraud. I can probably still use the built-in SHA1, just need to reimplement the RSA portion. The latter is a bunch of BigInteger arithmetic.
Friday, December 2, 2016
Google Play fraud
I have a freemium Android app on the Google Play store. It's free to download, but there's a paid subset of functionality. To unlock it, one may download a separate app ("The License App"), or pay with an in-app purchase (IAP).
Such a scheme is open to many avenues of abuse. I'll try to outline some of those, and discuss the ways to combat them.
Such a scheme is open to many avenues of abuse. I'll try to outline some of those, and discuss the ways to combat them.
Monday, November 7, 2016
There's an app for that
Sharing little code snippets on this blog is fine in its own right, but there's a platform out there specifically for that - GitHub Gist (https://gist.github.com/). I think from now on, rather than paste it here, I'd upload it to Gist and link.
Tuesday, September 13, 2016
JavaScript says "beep"
UPDATE: it's now a Gist.
Today's snippet: generating a simple musical tone purely from JavaScript. I saw some online samples for doing it on a server (e. g. in PHP) and sending to the client, but that's a waste of bandwidth.
The ingredients are twofold:
Today's snippet: generating a simple musical tone purely from JavaScript. I saw some online samples for doing it on a server (e. g. in PHP) and sending to the client, but that's a waste of bandwidth.
The ingredients are twofold:
- An <audio> element with a source that's populated from a data: URI
- An ArrayBuffer object with WAV data inside
Sunday, May 8, 2016
You can try or you can __try
Some time ago, I've outlined a technique for wrapping a C++ fragment in a Structured Exception Handling (SEH) crash catcher. It involved a rather convoluted sequence of C++ to C back to C++ calls.
Thursday, April 21, 2016
UTF-8 in Transact-SQL: no CLR necessary
UPDATE: it's now a Gist.
While we're on the subject of Transact-SQL utilities, here's one for converting a Unicode string (as NVARCHAR) to a UTF-8 binary data block. It works correctly with non-UCS2 strings encoded as UTF-16. To make sure, try it on a string with an Emoji character, for example, N'😂'. That's codepoint U+1F602, the widely smiling face.
While we're on the subject of Transact-SQL utilities, here's one for converting a Unicode string (as NVARCHAR) to a UTF-8 binary data block. It works correctly with non-UCS2 strings encoded as UTF-16. To make sure, try it on a string with an Emoji character, for example, N'😂'. That's codepoint U+1F602, the widely smiling face.
Saturday, April 16, 2016
Your software WILL crash.
When reporting on unhandled .NET exceptions, don't use the builtin Exception.StackTrace. Instead, construct an instance of System.Diagnostics.StackTrace with the exception object as the parameter, and generate your own trace. The difference is, with the latter, you can get offset to the crash point within the method.
Friday, April 15, 2016
Object Linking and Embedding Database
Recently, I've been messing with a database API I've never used directly before, even though I've been using it all the time. I'm talking about OLE DB, the interface behind ActiveX Data Objects (ADO).
MurmurHash in Transact-SQL
UPDATE: it's now a Gist.
UPDATE: now in Pascal too.
UPDATE: now for MySQL too.
Sometimes, one needs an intermediate strength hash. Something less collision prone than CRC32 or Adler-32, but smaller and less costly than MDx or SHAxxx. My favorite for a while has been MurmurHash64 - it produces a 64-bit value, just the right size to fit into a scalar variable in a C program, or a bigint database field.
UPDATE: now in Pascal too.
UPDATE: now for MySQL too.
Sometimes, one needs an intermediate strength hash. Something less collision prone than CRC32 or Adler-32, but smaller and less costly than MDx or SHAxxx. My favorite for a while has been MurmurHash64 - it produces a 64-bit value, just the right size to fit into a scalar variable in a C program, or a bigint database field.
Subscribe to:
Posts (Atom)