I just read these topics:
Is there a way to get the source code from an APK file?
How to avoid reverse engineering of an APK file?
...and realized that you can't develop an android program without being possible for its .apk file to be reverse engineed.
You can use Proguard and tricks but still your code will not be completely hideable.
So if you want to make an app completely close-source what you have to do?
For example, what Facebook and Snapchat and Messenger (e.g) did so their source codes are not accessible?
Also, another question: if you upload your app on google play, then a user can get your .apk?
Thanks in advance!
Every app may be reverse engineered.
The difference is only time needed to do it.
Proguard is a minimal solution whish requires minimal efforts and provides a level of protection that is enough in most cases.
You may also use other obfuscation tools (for example, DexGuard).
Another way is making shared libraries with Android NDK and using it. Reverse engineering of native binaries is usually more difficult than Java classes.
Probably the only way to completely protect your algorithms is to remove them from user's device - move to a server. In that way application will do a requests, but computation will be performed on your server.
As for extracting APK - it is possible, as Giorgos Pippos wrote.
From what I know, there are programs you can use to extract an apk from your phone. For example APK Extractor is listed in the Play Store.
You can use this kind of apps to get the apks you want.
Related
I want to make an application and I need to know the programming languages that were used in similar applications in google play store. I tried to contact the owners of the application but there is no response.
i tried to see the app files using file manager but didn't work.
Simplest way is decompile apk and you can see java, c++ or other lang.
If you will describe the app that you're trying to create, some people here may be able to make suggestions. In general though, android apps are written in either Java or Kotlin. If you're just starting out, start with Java.
Is it possible to download my apps code from my IPhone 5s and Android. My developer in India disappeared and I am trying desperately to get a hold of her. I dont know if there is a holiday over there or if she is sick.
Anyhow my app is finished on both platforms and all that needs to be done is transfer the database to Amazon and the respective stores.
Is there any way to rescue this code on my phones?
If I understand your issue correctly, you want to reverse engineer or extract the code from a copy of the app installed on your phone.
It's called App Decompiling and while in theory, it's possible to do it, it won't "just work" as easy as copy & paste. Especially taken you've got 2 different platforms to decompile from.
On iOS, for example, the apps are protected by its DRM https://en.wikipedia.org/wiki/FairPlay technology which splits the app into segments and encrypts each of them with a separate key. To attempt to decompile the app, you'll need to jailbreak https://en.wikipedia.org/wiki/IOS_jailbreaking your device, which immediately voids all of its warranties. Even then, it's not certain you'll be able to extract enough of the code to rebuild the app.
On Android, it's slightly easier, but would still not exactly grant you the Java source code.
Bottom line, it's extremely difficult, unreliable, quite expensive (if not performed by yourself) and probably not worth it in your case.
in my case i have an Hybrid Mobile App with Cordova.
How can I avoid changes to my javascript/AngularJs if someone download my *.apk or *.ipa and try to use it with a browser ?
I want to encrypt my source javascript code or if possible want to full content in *.apk.
A way to avoid other person make changes in your code is minify and obfuscate the javascript files.
Here you can test it by yorself.
But if you want to minify all the javascipt files of your project, i suggest you to use some task runner like grunt with Uglify.
To avoid unwanted requests you have to configure Cross-origin resource sharing (CORS) in your server.
While most people will agree that Javascript encryption is not a fool-proof method, there are a few cases where increasing the efforts required and slowing down the attacker often helps. You can check tools like refresh-sf, Uglify and also obfuscator.io for code obfuscation. However, basic encryption and obfuscation practices don’t prevent people from lifting and using your code, and considering the advanced cyber-attacks happening these days, hackers already have a way around such practices.
My suggestion would be to invest in mobile application security tools like Arxan, AppSealing, or Appdome to apply a robust security architecture on your application. Having personally used AppSealing, I can say that they have regular updates and definitely keep you guarded from the latest attacks. Their framework is integrated directly in your apk so there’s no additional coding required. I would suggest you look for such mobile app security solutions for a more robust security architecture. I am sure there must be more solutions apart from the ones I have mentioned above. Just research and pick the one that suits your requirement and budget.
First of all minify all your js file into one single bundle.js and use cordova-anti-tampering plugin. if somebody tries to tamper your apk and rebuild the apk app will get crashed.
This plugin will create hash value for all the files. if you want to secure your app more You can store these hashvalues to server once and check your files hash values with server stored hash values.
I have my native android app in play store, in recent days my app gets multiple request frequently from a particular user, for time being in have blocked that particular device id, i fear would be there any chance to crawl my app?
Is there any way of crawling android app content?
Of course there is! You can open your APK like any zip archive and open whatever you want. You can use aapt tool from Android SDK to replace some parts. And you can decompile your code using undex tools. It will not be exactly what you used, but they will be able to modify your application.
You can do it harder for them, if you use some obfuscation tools like Proguard. You cannot prevent completely revealing your code however. It is much harder to disassemble native code, but still possible. Make sure you do not compile symbols for all functions into release library. See http://www.ibm.com/developerworks/aix/library/au-aix-symbol-visibility/ for examples.
If you have something really valuable, only secure way it to process data on your secured server without giving your code to the user. All code you give on the user's device can be decompiled. It differs only by how hard it is and how much he has to spend to do that.
I may not have understood what you meant by crawl your app though.
Is an application build using unity3d for android obfuscated or in some form proguarded?.
I searched on net and read different views, some say that it is proguarded by default, some say to use a 3rd party code obfuscator to obfuscate the c# or javascript scripts before building for android????
what i want to know is-
what is the best approach when releasing an Android application made by unity3d on google play store, so that the code is obfuscated if someone tries to decompile it.
No it is not. There are plethora of tools that decompile the DLL's into it's respective original assets and source code files. This is one of the distinct downfalls for using .NET CIL languages, the lack of ability to hide from decompiling. For Android, it may be protected through a few different levels, but in the end if they wanted to get to your code they could because of .NET runtime. Reflector has been the defacto .NET decompiler for years, and there are plenty of resources on the internet that show how to use it to get compiled code, and allows you to convert to VB, C#, C++ and a few other options.
Like Gabe asserted above however, there's nothing too unique about Unity3D coding. Since it's such an open community and a good active user base giving away code and assets, and selling it, there's nothing top secret that can't be replicated elsewhere. The community for Unity3D is huge, hence the reason for the lack of uniqueness of your code, chances are you've gotten and compiled from other resources and put together. On that platform, it's rare for someone to do something 100% from scratch.