I've run into an issue and not sure how to solve. I worked with a developer to create an IOS and Android app. It's a paid app and I decided after about 6 months to create the same app and offer for free with ads. This should go smoothly, but the developer says his computer crashed and he no longer has my source files. I have a version, but not "the" version cause I was working with him through Elance and reached the upload limit to send files. Can I retrieve the files from Apple or Google Play somehow? Any other ideas? Any help is appreciated.
I'm afraid you are going to have troubles either way. From what I know of Google Play, you need to have the unique signature (private key) compiled in to the APK when you upload it. Since there is no way you'll get that again, you won't be able to duplicate it.
On the other hand, you would have to compile a NEW version anyway, since it is not a paid version. So, assuming you have access to the source code at all, none of the first paragraph really applies.
Having said all that, what you need is an app decompiler. I wish you luck with that. But that's never as simple as it seems. I'm afraid you may have to start from scratch. Although, having done it once, you shouldn't have such a hard time with it...
What you need to do is this:
A. Pray that your developer had neglected to obfuscate your app's code
B. Download the APK from Google Play and use dex2jar to convert it into a standard Java jar.
C. Download jd java decompiler from here to convert the binary .class files inside the jar into text
D. Use ApkTool to convert the binary encoded XML files within your APK into textual XMLs.
E. Get into the habit of using source control
Good luck.
Unfortunately it's not possible to decompile a iOS- or Androidapp.
Related
I've read that you could automate builds quite a lot, but what about creating an equal project and changing a few things like the app name and colors.xml values for uploading to the Play Store? I am developing many similar apps that are a copy of each other with different names, pictures, icons and colors for quantity distribution at a low price. This would be easy for a website as you could store all changing variables in a single file and then upload that through an FTP Client, but when it comes to Android software, it's obviously different.
I am looking to learn a way to make something like a .bat file or cmdline Command that would let me do this quick, and output a Signed APK ready for upload. Thanks in advance
This is probably against Google Play terms of service. See the Policy site, especially the "Spam and minimum functionality" section.
tl;dr: I'm wondering if there's anyway for me to ensure that the source code I (re)viewed on GitHub for an open-source project was actually used to build the APK I'm downloading from Google Play?
Let's say I want to find an app for encrypting files on my local Android device. There are several apps available when googling, many open-source. As I'm going to encrypt sensitive information, I'd like to ensure it's done correctly (and without bad intent), so I review the source code for the app. All looks okay, so I download the app from Google Play and start using it.
If the developer of the app wanted to, they could just offline modify the source code (in a "private build step", so to say), and inject whatever they want (send the unencrypted file content somewhere, fake-encrypt the files, whatever), build the APK and upload that APK to Google Play instead.
Is there anyway to verify the APK actually came from the source code?
I have a an updated APK that another developer (hired 3rd party) compiled and sent my way to upload to my Google Play Developers Console to update the previous version. The issue is that he didn't change the version code before sending it to me and leaving the country for several months (without contact). I'm not able to change the manifest (as far as I know) and I get this error when I attempt to upload:
Upload failed
You need to use a different version code for your APK because you already have one with version code 1.
Any thoughts or suggestions as to the best way around this issue? I can't wait for the developer to get back in a few months as the app is only half usable at this point. I'm WAY out of my element - hence the hiring of a third party developer.
Thanks in advance!
There is a tool called apktool located here
http://ibotpeaches.github.io/Apktool/
that may be able to help you. Essentially what it does, is it decompiles the APK file, allowing you to see the files that are inside. Once you decompile the APK, you will see a file called
apktool.yml
where you can change the version code / version name. The tricky part will now be recompiling the APK back to the original state. Apktool can help with that, as long as you have the keystore file and credentials the original developer used to sign the APK with. If you need any help with the specifics of Apktool, let me know!
There are many "open source" apps like K-9 mail on the android app store. If I compile and build the source code myself, I can be sure that the resulting apk, will indeed do what the source code says it will do.
But how can I verify, that the apk submitted to the store is actually the result of compiling the same source ? What is to stop the makers of k9 of inserting malicious code in the version submitted to the app store ? I don't see any hash, or other way of verifying the source.
(K-9 is just an example).
Compare the contents of the APKs: the one you pull off the device (that you got from the Play Store or wherever) and the one that you compiled yourself. If the compiled classes differ, then there may be cause for deeper investigation. It's possible the differences come from differences in compilers, bytecode converters, or obfuscator settings. Or, it's possible that the differences are indicative of "malicious code". That work is up to you.
Or, use a store like F-Droid that compiles from source itself.
Or, just use the version that you compiled from source yourself.
We are developing an Android application. We know that using tools like APKTool, dex2jar can get the source code of an APK.
1) Can they get complete source code so that they can rebuild the same APK, with very minimal effort?
2) After getting the source code, is there a possibility that others can upload the rebuilt APK under their own name?
3) If possible, how to prevent this?
Our clients are keen about this.
It is not possible to prevent your application from being reverse engineered. However, you can make it harder using tools loke proguard.
Yes, it is possible that others can upload the reverse engineered APK. Nevertheless, they need to change the package name.
It cannot be prevented.
Have a good look here for a more detailed explaination: How to secure my app against piracy
1) They can, but NOT WITH A MINIMAL effort.
2) Sure, they can.
3) You can't. You can just make their work a bit harder, trying to obfuscate your code as much as possible and crypting your dbs (which is the most important thing you and your users should worry about).
Not sure what you mean by APK? You can certainly extract and decompile an apk, repackage and resign. It would be the same but would have a different signature and so couldn't be installed over the an existing installation. I'd argue this can be done with minimal effort using Apktool there 100's of articles on how to do it. But even easier with APK2Java which turns converting apk to java into a point and click experience.
Yes, to other appstores with no code changes. If the attacker changes the package name which is simple there are automated scripts that can so this it could be uploaded to Playstore.
100% preventable?, no. But you can make it allot harder and raise the difficulty and effort level required. As others have mentioned Proguard is a good start, I recommend Dexguard it's not free but really adds to your apk hardening. You could also add tamper checks to break functionality or alert user.
I've talked about Android app hardening at Droidcon UK here's the slides they may help. The idea is to add several levels of security to raise the time/effort it takes so most attackers will just move on to another app.