I just recently extracted source code of an apk from playstore. When I opened the source code all the function names, variable names were renamed with some random numbers and letters.
So does playstore does that automatically when we upload our apk?
If not then how can I do that in android studio?
thats Proguard feature, check this doc: Shrink, obfuscate, and optimize your app
when you use it then your code will be obfuscated for harder reverse engineering (besides some optimisation). you have to enable this feature in your gradle file (minifyEnabled), some same how to declare under link above
So does playstore does that automatically when we upload our apk?
-no it was done by some other application
the application you unpacked was previously obfuscated.
you can read more about this here:
https://en.wikipedia.org/wiki/Obfuscation_(software)
Java obfuscator
https://www.preemptive.com/products/jsdefender?gclid=EAIaIQobChMI4bXBqZn48AIVbxitBh1OyQnqEAAYASAAEgJ_XPD_BwE
Related
I have built a flutter apk in release mode and I would like to test if my app is really obfuscated and my code cannot be read. So I tried to decompile the apk using the APK Decompiler.
I had many files after decompiling. The question now is: What is the file that contains the source code and how do I know if it can be read or not?
I have some doubt on libapp.so, is it?
I confirmed my doubt when I was to able to open the libapp.so (shared object) file using Ghex and I have found some words of my code (like text and some style proprieties) but the source code is really obfuscated and it cannot be simply read.
I created ios and android apps, so now i have to deliver to my customer in IPA and APK file formate.
I want to know, is it possible for them to extract the ipa and apk files and get into my main codes ?
Friends please educate me. Thanks guys.
For android,
Consider enabling your ProGuard
ProGuard obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names which make the code base, smaller and more efficient. The result is a smaller sized .apk file that is more difficult to reverse engineer.
to enable proguard
set minifyEnabled to true and add rules you need on proguard-rules.pro file.
Useful reference
https://developer.android.com/studio/build/shrink-code
For iOS
I don't think there is an easy way to reverse engineer an ipa file
Seem like they can get your code from your APK file (Android) and IPA file (iOS). (I'm not trying it, just for consult)
For android, the answer can be found here
Is there a way to get the source code from an APK file?
For iOS
https://reverseengineering.stackexchange.com/questions/1594/possibilities-for-reverse-engineering-an-ipa-file-to-its-source
I am developing an android email client application and Calling webservices using ksoap2 library and also writing some encryption algorithm to encrypt data in my client.
In some websites I have read "It is possible to decompile the apk using some decompilers". (i.e.) get the source code from apk file.
But I want to secure my code. Don't show the encryption algorithm code after decompilation or don't want to decomplile my apk file. Is it possible to do that? please can you give some suggestions?
Edit the file (in the project root) project.propierties and add the line
proguard.config=proguard.cfg
And its done. When you try to generate the signed apk of your app it will take a little longer and it will be obfuscated.
If you receive the "Conversion to dalvik error" when generating the apk you need to update the proguard of your sdk. For doing it you need to go to the ProGuard page to the download section. Download the last stable version and put it content in
SDK_ROOT/tools/proguard
Deleting the existing content before of course.
You can check the Proguard manual at their page (link is above) and the Android's Proguard page for more info about ProGuard
This process is known as Obfuscating the code.
EDIT:
Steps to get obfusticated apk:
1) Download latest proguard from "http://sourceforge.net/projects/proguard/files/". Current latest version is proguard4.7
2) Replace "bin" and "lib" folder of "C:\Program Files (x86)\Android\android-sdk\tools\proguard" with latest downloaded proguard folders.
3) Check SDK location in eclipse for blank spaces in it and for that go to window > Preferences > Android. If there is blank space then replace it with:
c:\Progra~2\android\android-sdk (for windows 64-bit)
c:\Progra~1\android\android-sdk (for windows 32-bit)
4) Check that proguard.cfg file is in your project's root folder and add "proguard.config=proguard.cfg" in project.properties file of android project.
5) Now export your project to get obfusticated apk.
I hope that it will help.
You must not rely on security through obsurity.
If you feel that the encrypted data would be compromised by the knowledge of the encryption algorithm, then you're NOT doing security.
It will always be possible to decompile any file, if the "hacker" knows how to do so. That's why there are still cracks for paid applications, because people take their spare time to decompile/crack applications. All you can do is to make them have a hard time by using as many tools as you can. The first choice (and that comes disabled by default) is ProGuard
I searched around the net a simple example of how to use ProGuard to protect your Android app from "code thieves". And I ended doing like this and you tell me if this is all it takes:
I opened project.properties file of my project in Eclipse, and uncomment and left this line: proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
Then I went to my project's Android Tools => Export Signed Application Package...
and export it with existing keystore which I made earlier when I was exporting app to test it in my phone.
In my project, above project.properties appeared to be created a new file proguard-project.txt, which I expected because the above line: ...proguard-android.txt:proguard-project.txt.
And that's it?
Or no? Do I have to add something else because I've seen that others are adding some classes to inculde in file, ... Is that not included?
Help me to learn how to protect my app. Thanks in advance!
Yeas, that's all if you want to protect your code only.
if you have resources that have copyrights, consider using the Android Copy protection.
When pubishing your app : go to section Publishing options subsection Copy Protection
Check Copy Protection : On
This prevent hackers to export the apk and by the way, prevent your resources from most of hackers.
For the most part, that is all you need to do. If you use any external libraries, you may have to modify your config file in order to export your app. You should test your protected app on your device to before publishing.
I have an Android project that I recently published to the market after running it through obfuscation with ProGuard.
The project exported without any complications, but how do I know it's been obfuscated? Is there anything I could do to verify that obfuscation was successful?
Look for dump.txt, mapping.txt, seeds.txt and usage.txt. They will probably be in a proguard folder at your project directory. These are created when ProGuard is run on your code.
These are filled with information about the obfuscation, especially useful is mapping.txt which shows what ProGuard turned your various member names in to.
Try to reverse engineer your own application. See what you can read in the code.
Use the following questions:
decompiling DEX into Java sourcecode
http://www.taranfx.com/decompile-reverse-engineer-android-apk
DISCALIMER: I am not the owner of decompileandroid.com and I am not paid to promote it. I am a develper, who is satisfied with this service.
There is actually an easier way than acquiring several different tools and passing the output of one of them to the other (this of course gives you a better control of what's going on). You can use the service
decompileandroid.com
Basically you upload and .apk file and it does all of these steps for you.
Then you can download a .zip file, which contains the decompiled sources.
You can first upload your .apk built in debug mode, then upload an .apk built in release mode. Just make sure that the flag minifyEnabled is set to true in your build.gradle file for the release build.
The difference was pretty obvious in my case - most of my classes were named a,b,c, etc in the minified build.