I'm doing some reverse engineering protection on Android and I want to prevent debugging of the app. I know how to detect when a debugger is attached but is there a way to block it from attaching in first place?
Edit: For clarification and in response to droidpl's answer, I mean ways beyond just setting debuggable=false in the manifest in case the .apk is repacked.
Yes, you can modify your build process to make your app not debuggable. In the build.gradle of your app, in the build type you want to avoid it to be debuggable, set the property debuggable false.
Now if you try to attach the debugger to your process, it won't appear in the running available processes.
Related
My Android app is coming to the end. Debugging runs OK for many many times without any error. It runs just fine. It's the time for me to build a release and publish the app. I follow all the steps which can be found via Google easily. In fact the signed APK is installed OK and the app starts OK but if user interacts to navigate between screens of the app, it is crashed for no reason. Not all screen switching causes app crash, just some of them and I can notice that maybe it involves Reflection here. I design my own binding system to bind ViewModel behind with the Fragment and using Reflection is a must, no other way.
I totally believe that it is not any fault in my code because the app runs just fine in debug mode. And at the time of nearly completely losing all hope to publish the app, I found a signed version of the APK file in the debug folder (that signed version is generated only if you start debugging the app to run in some targeted device - even some emulator, building in Debug mode won't generate that file). It's very lucky for me that that signed apk works perfectly. I can deploy that APK to a new device and install normally, the app runs expectedly.
So it must be something wrong with the releasing process. Here is some info about configuration for Release mode (mainly in Android Options tab):
Packaging (Packaging properties): Nothing is checked in here.
Linker: I tried both Sdk assemblies only and Sdk and user assemblies but nothing works.
Advanced properties: I checked all options to support all possible CPU architectures (this should not be a problem because in debug mode, all these options are also checked).
At the beginning of learning Xamarin Android, I tried finding information about publishing Android app and did complete a simple test (to deploy a simple app). It worked OK at that time (maybe because it's too simple), but now when it comes to a complex one (mainly involving my binding system which uses reflection heavily) it can be crashed at some user interactions. I also have a separate library project (containing some custom Views) referenced OK in my main project (not sure if that could be a break, however one custom view is used OK while some others may cause crashing). Because all the crashes happen in a compiled build, I cannot debug anything to see what could be wrong.
No code is provided here because there is too much code, it seems to be crashed at many places and one more important reason is the code should not be the problem (for one reason I explained above - it just runs smoothly in debug mode, I even found a signed APK file in debug folder which can be installed OK and the app then runs just OK like in debug mode).
Since you stated you are using a lot of reflection, the first thing to do is:
In the Android Build Settings:
Disable Proguard if it selected
Change the Linker Options to Don't Link
Rebuild a release build
Update: Since this worked and the app no longer crashes.
The linker will sometimes remove code that you want to preserve.
For example:
You will need to determine what classes and/or method are being remove because that have no direct references and are only called via reflection and preserve those to prevent the linker from removing them.
If they are in your code, you can use the [Preserve] attribute.
If they are 3rd party libs or the Xamarin.Android framework, you can create a "hardcoded" fake reference to those classes/members so the linker sees that you need them.
You might have code that you call dynamically via System.Reflection.MemberInfo.Invoke.
If you instantiate types dynamically, you may want to preserve the default constructor of your types.
If you use XML serialization, you may want to preserve the properties of your types.
Ref: https://developer.xamarin.com/guides/android/advanced_topics/linking/
I been looking at this question, and I thought it would be a good idea of using assert only in debug build.
Is there any thing special that I need to configure in Android Studio in order to allow asserts? I also want to guarantee that they will not be presented in release build.
The adb shell setprop debug.assert 1 from your referred question is to be executed on the device you are testing on, so you could whip up a script or even create a custom gradle task for that (gradle docu).
In general I'd recommend to also have your checks in production and handle them in a proper way. A simple solution would be to throw a RuntimeException. With checked Exception you could even handle the recovery from this errorneous states / misuses of your api.
Furthermore, it would make sense to add proper tests that ensure, that your code/APIs only emit "valid" values that can be handled by the rest of your code.
My question is, when we use Log.d(), Log.v(). Are these visible on android screen as output or do they just remain in the background and Android Mobile just display what the emulator displays in Computer?
Logging is just something, that enables developers the possibility to check if his code is working like it's intended to be, the user won't see any of the log statements. But it's recommended to remove all logs before publishing your App:
Turn off logging and debugging
Make sure you deactivate logging and disable the debugging option
before you build your application for release. You can deactivate
logging by removing calls to Log methods in your source files. You can
disable debugging by removing the android:debuggable attribute from
the tag in your manifest file, or by setting the
android:debuggable attribute to false in your manifest file. Also,
remove any log files or static test files that were created in your
project.
Source here.
No, this is purely a background thing, viewable with the LogCat view in Eclipse. The user will not see anything Log related, they will be oblivious to it while using the app.
So yes, it will display what your emulator displays. Of course if you need them to see something, you can show Toasts and Dialogs. However, make sure to take out Log statements in release versions of your app. People that have debugging enabled will be able to see your statements if they attach their phone to a computer and run LogCat.
I marked a few break points and launched the debugger, but after the application is installed, the break points don't get the "v" sign, and the debugger doesn't seem to stop when reaching to them! I really don't know what I'm missing here. Could it be related to the fact that it's an app widget application? I didn't have this issue with other applications...
I'm using the emulator, if it matters somehow.
Thanks.
Is your application set to false for debuggable in your manifest? It shouldn't be in there at all or set to true.
<application android:debuggable="true" >
Also try to use this in the onEnabled():
android.os.Debug.waitForDebugger();
Another way could be by using the DDMS perspective and selecting the widget from the list of processes.
This link might be helpful as well.
Check that you do not have "Skip all breakpoints" set in Eclipse. Run -> Skip All Breakpoints. If that is set, Eclipse allows you to set breakpoints, but does not stop at them.
I wonder if it is a "good coding" to use log.d very often in my app?
Should I include a checkbox to manually activate logging or is it okay to do it everytime the app starts? I know the normal user doesn't see it, but I guess as it is not stored in a file (or is it?) no write cycles would be wasted.
What would you say?
Thanks for helping...
Read this.
Or quote:
Before you consider your application ready for release:
1. Test your
application extensively on an actual device
2. Consider adding an End
User License Agreement in your application
3.Consider adding licensing
support
4. Specify an icon and label in the application's manifest
5. Turn
off logging and debugging and clean up data/files
I agree with the point you have mentioned. As a developer its good to have log for application.
My suggestion would to have some logic to remove log related lines on compilation i.e Tag.
what`s your view on this.