I have my native android app in play store, in recent days my app gets multiple request frequently from a particular user, for time being in have blocked that particular device id, i fear would be there any chance to crawl my app?
Is there any way of crawling android app content?
Of course there is! You can open your APK like any zip archive and open whatever you want. You can use aapt tool from Android SDK to replace some parts. And you can decompile your code using undex tools. It will not be exactly what you used, but they will be able to modify your application.
You can do it harder for them, if you use some obfuscation tools like Proguard. You cannot prevent completely revealing your code however. It is much harder to disassemble native code, but still possible. Make sure you do not compile symbols for all functions into release library. See http://www.ibm.com/developerworks/aix/library/au-aix-symbol-visibility/ for examples.
If you have something really valuable, only secure way it to process data on your secured server without giving your code to the user. All code you give on the user's device can be decompiled. It differs only by how hard it is and how much he has to spend to do that.
I may not have understood what you meant by crawl your app though.
Related
Is it possible to download my apps code from my IPhone 5s and Android. My developer in India disappeared and I am trying desperately to get a hold of her. I dont know if there is a holiday over there or if she is sick.
Anyhow my app is finished on both platforms and all that needs to be done is transfer the database to Amazon and the respective stores.
Is there any way to rescue this code on my phones?
If I understand your issue correctly, you want to reverse engineer or extract the code from a copy of the app installed on your phone.
It's called App Decompiling and while in theory, it's possible to do it, it won't "just work" as easy as copy & paste. Especially taken you've got 2 different platforms to decompile from.
On iOS, for example, the apps are protected by its DRM https://en.wikipedia.org/wiki/FairPlay technology which splits the app into segments and encrypts each of them with a separate key. To attempt to decompile the app, you'll need to jailbreak https://en.wikipedia.org/wiki/IOS_jailbreaking your device, which immediately voids all of its warranties. Even then, it's not certain you'll be able to extract enough of the code to rebuild the app.
On Android, it's slightly easier, but would still not exactly grant you the Java source code.
Bottom line, it's extremely difficult, unreliable, quite expensive (if not performed by yourself) and probably not worth it in your case.
I just read these topics:
Is there a way to get the source code from an APK file?
How to avoid reverse engineering of an APK file?
...and realized that you can't develop an android program without being possible for its .apk file to be reverse engineed.
You can use Proguard and tricks but still your code will not be completely hideable.
So if you want to make an app completely close-source what you have to do?
For example, what Facebook and Snapchat and Messenger (e.g) did so their source codes are not accessible?
Also, another question: if you upload your app on google play, then a user can get your .apk?
Thanks in advance!
Every app may be reverse engineered.
The difference is only time needed to do it.
Proguard is a minimal solution whish requires minimal efforts and provides a level of protection that is enough in most cases.
You may also use other obfuscation tools (for example, DexGuard).
Another way is making shared libraries with Android NDK and using it. Reverse engineering of native binaries is usually more difficult than Java classes.
Probably the only way to completely protect your algorithms is to remove them from user's device - move to a server. In that way application will do a requests, but computation will be performed on your server.
As for extracting APK - it is possible, as Giorgos Pippos wrote.
From what I know, there are programs you can use to extract an apk from your phone. For example APK Extractor is listed in the Play Store.
You can use this kind of apps to get the apks you want.
in my case i have an Hybrid Mobile App with Cordova.
How can I avoid changes to my javascript/AngularJs if someone download my *.apk or *.ipa and try to use it with a browser ?
I want to encrypt my source javascript code or if possible want to full content in *.apk.
A way to avoid other person make changes in your code is minify and obfuscate the javascript files.
Here you can test it by yorself.
But if you want to minify all the javascipt files of your project, i suggest you to use some task runner like grunt with Uglify.
To avoid unwanted requests you have to configure Cross-origin resource sharing (CORS) in your server.
While most people will agree that Javascript encryption is not a fool-proof method, there are a few cases where increasing the efforts required and slowing down the attacker often helps. You can check tools like refresh-sf, Uglify and also obfuscator.io for code obfuscation. However, basic encryption and obfuscation practices don’t prevent people from lifting and using your code, and considering the advanced cyber-attacks happening these days, hackers already have a way around such practices.
My suggestion would be to invest in mobile application security tools like Arxan, AppSealing, or Appdome to apply a robust security architecture on your application. Having personally used AppSealing, I can say that they have regular updates and definitely keep you guarded from the latest attacks. Their framework is integrated directly in your apk so there’s no additional coding required. I would suggest you look for such mobile app security solutions for a more robust security architecture. I am sure there must be more solutions apart from the ones I have mentioned above. Just research and pick the one that suits your requirement and budget.
First of all minify all your js file into one single bundle.js and use cordova-anti-tampering plugin. if somebody tries to tamper your apk and rebuild the apk app will get crashed.
This plugin will create hash value for all the files. if you want to secure your app more You can store these hashvalues to server once and check your files hash values with server stored hash values.
Is an application build using unity3d for android obfuscated or in some form proguarded?.
I searched on net and read different views, some say that it is proguarded by default, some say to use a 3rd party code obfuscator to obfuscate the c# or javascript scripts before building for android????
what i want to know is-
what is the best approach when releasing an Android application made by unity3d on google play store, so that the code is obfuscated if someone tries to decompile it.
No it is not. There are plethora of tools that decompile the DLL's into it's respective original assets and source code files. This is one of the distinct downfalls for using .NET CIL languages, the lack of ability to hide from decompiling. For Android, it may be protected through a few different levels, but in the end if they wanted to get to your code they could because of .NET runtime. Reflector has been the defacto .NET decompiler for years, and there are plenty of resources on the internet that show how to use it to get compiled code, and allows you to convert to VB, C#, C++ and a few other options.
Like Gabe asserted above however, there's nothing too unique about Unity3D coding. Since it's such an open community and a good active user base giving away code and assets, and selling it, there's nothing top secret that can't be replicated elsewhere. The community for Unity3D is huge, hence the reason for the lack of uniqueness of your code, chances are you've gotten and compiled from other resources and put together. On that platform, it's rare for someone to do something 100% from scratch.
A lot of Android apps are open source, but how can we make sure the person who finally uploads to the Google Market does not include some spyware just before uploading?
Background: Mobile apps security seems to be a growing concern, and I would like to reassure the users of my Open Source Android app. Solutions that require to modify the deployment process or application content are acceptable too.
2012 update: This is going in the right direction: http://f-droid.org/ They check the apps and compile them into APKs that they distribute. That being said, I would trust them more
if they were Mozilla or Apache...
Take a look at https://stackoverflow.com/questions/249106/how-can-you-give-users-confidence-that-your-application-has-no-malicious-intent for some related information.
You could of course take the source and build/compile it yourself and compare the resulting binary to the uploaded one, but this somehow defeats the purpose of binary distribution. And it still wouldn't help in cases where the source code does contain malicious code. Or maybe build a safe, i.e. trusted reference binary and then publish the checksum for comparison?
Apart from that, this problem really is not specific to open source software. In the end, it all boils down to trust.