I am developing an android library and I want to hide it's code.
I am using other library, and for some of them, when trying to access their code with Android Studio, you only get the list of methods of the class and "/* compiled code*/" inside.
I am using pro-guard, but i can still access the source code of my library. Even if the methods and members names have been modified, the code is still readable and it is possible to read every hard coded strings.
How do I hide my code the same way those libraries do ?
Android Studio replaces the actual code with something like /* compiled code */ only if you don't have the actual source code for the library and the decompiler isn't activated. But it's trivial to either attach the source code or to install a decompiler.
You can display the bytecode of any class using javap. See Is it possible to view bytecode of Class file? for details.
Back to your original question: No, it's not possible to actually hide your code because the code is required to actually execute it. And if the code is there you can see the bytecode and decompile it. The best option you have is to obfuscate the code using Proguard which won't get you very far either regarding hiding your code. See How to avoid reverse engineering of an APK file? and Android ProGuard how to hide/obfuscate source code of exported library.
Related
I tried to see the list of classes inside a package in an android application using AndBug command 'classes com.package.name.example'.
The output shows only one class file.
But when I decompile the apk using dex2jar and view the classes inside the package com.package.name.example using JD-GUI, I can see two class files.
The class file that I want to trace is not being shown in AndBug, while it is shown in JD-GUI.
What could be the possible issue?
It's very likely a bug with AndBug. You should at least submit an issue to the project page along with a dex file, if possible, so that they can reproduce the issue: https://github.com/swdunlop/AndBug/issues
For bonus points, debug the issue yourself and submit a pull request. :D
There are always bugs with disassemblers and decompilers. Some people intentionally find and exploit them to prevent others from reversing their applications.
Generally we can get source code from the android installation package as shown in this reference link.
But, is it possible to secure the actual program code (source code) from a reverse engineer ?
The code that you write is converted into class files then dex files, so directly viewing the code is not possible. but however dex compilers can be used to de-compile the source code but that requires some good knowledge so for that you have to obfuscate the code. Google by default provides proguard so that you can protect the code
you can read about proguard from here
In simple words you cannot hide the source code, but just add this line proguard.config=proguard.cfg to your project.properties file so making it difficult to be decoded . You can check here for an example
No, because the android system has to be able to read it in order to run it. You can obfuscate it with tools like Proguard to make it harder to decompile, but there's no way to make it completely impossible.
I want to restrict my Android Application code to regenerate a code using reverse engineering process form my android .apk file. So then my application code will be secure but i don't know how to do this, please help me to restrict reverse engineering process to my android .apk file.
Thanks,
Android Developer.
The best you can do as far as I am aware is to obfuscate your code before deploying it.
Obfuscating, minifying etc will make the original code unreadable even if the code is decompiled. By unreadable I mean people will not easily be able to tell what variables are used for etc since they will no longer have meaningful names. The same goes for methods, etc.
"You cannot completely restrict Android apk from decompilation.
Because it uses dex formats any one can easily convert these dex files into jar file using publicly available tools like dex2jar.
But you can Obfuscate code to reduce code readability, you can also use native codes to prevent easy decompilation of code.
You can store some part your code in server and download them at runtime call function in library using Reflection concept,
which will help you to prevent your code from decompilation."
I have been working for one of the project where I am required to do the following.
Current Status: I have developed an Android app for which we are currently distributing apk files to the users. But the problem is, if users want to alter any designs etc, we have to take that pain, instead, we want to make sure the view files are available to them, but the core logic is in the jar file. Now, creating jar file is not an issue, but we still want to secure the source code. So, I found ProGuard http://proguard.sourceforge.net/index.html#manual/introduction.html
Now, the examples there shows that apk file which will be generate will have obfuscated codes. But I just want my classes under the jar files to be obfuscated.
Any help will be appreciation.
You can limit which classes should be left original and which ones should be obfuscated.
For example you may not want to obfuscate Activities or Services or Android will not be able to find them anymore ;-)
Reference: http://developer.android.com/tools/help/proguard.html#configuring
You can also use proguard on its own and pre-obfuscate your jar file before using it in the app itself.
I would like to use third party classes for which I have no source code. How do I instantiate these classes (which are in an APK on the phone) if I have no source code. Is it possible to do in Java? If not, how can it be done?
What exactly are you trying to do? If you can root your phone I guess you could pull the APK off and try to analyze what the classes are doing using something like Apktool..
How do I instantiate these classes (which are in an APK on the phone) if I have no source code.
If the classes are in your project (as a JAR or source code), you use them normally, like any other class. If you do not know how to do that, contact whoever wrote the code and obtain documentation for them.
If the classes are not in your project, you cannot use them.