We are developing an Android application. We know that using tools like APKTool, dex2jar can get the source code of an APK.
1) Can they get complete source code so that they can rebuild the same APK, with very minimal effort?
2) After getting the source code, is there a possibility that others can upload the rebuilt APK under their own name?
3) If possible, how to prevent this?
Our clients are keen about this.
It is not possible to prevent your application from being reverse engineered. However, you can make it harder using tools loke proguard.
Yes, it is possible that others can upload the reverse engineered APK. Nevertheless, they need to change the package name.
It cannot be prevented.
Have a good look here for a more detailed explaination: How to secure my app against piracy
1) They can, but NOT WITH A MINIMAL effort.
2) Sure, they can.
3) You can't. You can just make their work a bit harder, trying to obfuscate your code as much as possible and crypting your dbs (which is the most important thing you and your users should worry about).
Not sure what you mean by APK? You can certainly extract and decompile an apk, repackage and resign. It would be the same but would have a different signature and so couldn't be installed over the an existing installation. I'd argue this can be done with minimal effort using Apktool there 100's of articles on how to do it. But even easier with APK2Java which turns converting apk to java into a point and click experience.
Yes, to other appstores with no code changes. If the attacker changes the package name which is simple there are automated scripts that can so this it could be uploaded to Playstore.
100% preventable?, no. But you can make it allot harder and raise the difficulty and effort level required. As others have mentioned Proguard is a good start, I recommend Dexguard it's not free but really adds to your apk hardening. You could also add tamper checks to break functionality or alert user.
I've talked about Android app hardening at Droidcon UK here's the slides they may help. The idea is to add several levels of security to raise the time/effort it takes so most attackers will just move on to another app.
Related
I have signed my APK now but if I open it up I can still see many things like websites I connect to, Stuff that is written in the APP etc. Is there anything that I should be aware of? On one hand this is needed to run the app, but is there any sensetive data included?
proguard doesn't obfuscate strings. Dexguard does, but you'll have to pay for it.
I've run into an issue and not sure how to solve. I worked with a developer to create an IOS and Android app. It's a paid app and I decided after about 6 months to create the same app and offer for free with ads. This should go smoothly, but the developer says his computer crashed and he no longer has my source files. I have a version, but not "the" version cause I was working with him through Elance and reached the upload limit to send files. Can I retrieve the files from Apple or Google Play somehow? Any other ideas? Any help is appreciated.
I'm afraid you are going to have troubles either way. From what I know of Google Play, you need to have the unique signature (private key) compiled in to the APK when you upload it. Since there is no way you'll get that again, you won't be able to duplicate it.
On the other hand, you would have to compile a NEW version anyway, since it is not a paid version. So, assuming you have access to the source code at all, none of the first paragraph really applies.
Having said all that, what you need is an app decompiler. I wish you luck with that. But that's never as simple as it seems. I'm afraid you may have to start from scratch. Although, having done it once, you shouldn't have such a hard time with it...
What you need to do is this:
A. Pray that your developer had neglected to obfuscate your app's code
B. Download the APK from Google Play and use dex2jar to convert it into a standard Java jar.
C. Download jd java decompiler from here to convert the binary .class files inside the jar into text
D. Use ApkTool to convert the binary encoded XML files within your APK into textual XMLs.
E. Get into the habit of using source control
Good luck.
Unfortunately it's not possible to decompile a iOS- or Androidapp.
I'm making my first Android app, and it will be a paid (1$) app targeting API8 (Android 2.2).
Right now I see 2 options for protecting my app from sharing:
Using Android license checking : The problem is that the device must have an internet connection, and that as I've read on the net, the license caching is buggy. And, the biggest draw back is that it can be cracked anyway by an average cracker... Also, I don't want to penalise honest users by slowing down the app startup or by exiging an internet connection.
Using ProGuard, and activating the legacy anti-copy option when publishing the app : Is this unsecure to the point that even a newbie would be able to copy / share my app ?
Also, I don't wont to spend a lot of time on the security of my app, so please don't suggest solutions that are hard to implement / time consuming.
For now I'm more for the second option. Please help me decide, and tell me if I'm wrong in what I've said.
[UPDATE]
One more question : Does the Android LVL add more encryption to the APK and make it more difficult to share ? Or is it only used to check the license online ? Is it safe to not use it at all and only use Proguard and the legacy anti-copy option when uploaded ?
Thanks.
The answer is simple! Do not waste your time in adding protection...it will be cracked the minute it gets uploaded and WILL be pirated very easily!
Use proguard as your best defence for the app to obfuscate the names of classes into single-lettering scheme.
There's a good report here of a recent scam perpetrated through the Android market.
http://www.theregister.co.uk/2011/12/12/android_market_malware/
Someone copied some popular game .apk files off a rooted phone, decompiled them with smali, added code to make them use an expensive premium SMS service, re-signed them with his own key, and put them back in the Android market. Over 10K users downloaded them in the 24 hours before Google booted the apps from the market.
How can app developers protect against their work being stolen, modified, and remarketed in this way? I suppose you could match the MD5 hash of your app as it was when you shipped it (perhaps kept with your app in the google market, or on one of your servers), with the MD5 hash of the app as it is now. But we don't have tools for checking the MD5 hash of an .apk file, and the underlying files are not visible to app software.
Ensuring identity integrity of an app you run, surely, is a solved problem. What is the best practice?
This kind of black hat practice are impossible to avoid. Whatever you find, a lucky, ingenious, patient hacker will undo it.
You can nevertheless hope to work hard enough to make it harder for most hackers to easily break your protections. That's what people often call IT security btw :)
Fields to investigate are :
obfscation
CRCs and MD5 as you mentionned it
secure networked verification
a second app to check the first
a custom checking class loader (can you do that on android ?)
Not the be-all-to-end-all but there is ProGuard:
The ProGuard tool shrinks, optimizes, and obfuscates your code by
removing unused code and renaming classes, fields, and methods with
semantically obscure names. The result is a smaller sized .apk file
that is more difficult to reverse engineer. Because ProGuard makes
your application harder to reverse engineer.
If you are willing to spend some money then go for some professional help such as Arxan. We have used this in our enterprise level app. Basically it recompiles the .apk with its own encryption and creates a new apk which will enable you to know whether tampering was done with apk and other such instances. You may refer to this url : https://www.arxan.com/ for more details and do your research accordingly.
I'm experimenting with Android and I want to know if the following is possible: can I modify/patch an installed APP using another APP?
I know it's possible with root access, but I was wondering about non-rooted phones.
The only solution that comes to mind is the following:
-Create copy of original APK from data/app/ folder
-Patch/rebuild it
-Launch installation of the patched APK
The user would need to confirm the installation, but in theory it would work right? Any other tecniques that I haven't thought of?
In case you're wondering, I'm interested in injecting different strings and other resources into existing apps to provide translations or other modifications (ex: cheats in games), without changing the source of original apps.
You are right, you can do this on a device. Smali/Baksmali can be used on Android, also the apktool should be callable (I have only tried smali).
A year ago or so I have tried to use smali on a device and autopatch the source output. There was some information on the net (which I'm currently unable to find, sorry) but it was very limited, at least someone showed how to use smali/baksmali correctly. I have abandoned this approach because I'm not that good at java and the resources on a phone are rather limited.
Another approach I thought of was to offload the actual work to a server somewhere in the net. But this has its very own problem as you need to transfer the files, you may need the framework.apks, and so on.
This is interesting but hard stuff, you need to decode/parse/patch/rebuild apks and this has to be reliable. When you fail, the worst thing is that the users phone is broken (I wanted to modify critical system apks, bad idea ;)).
Better if the reinstall is seamless and for that you need: INSTALL_PACKAGES permission.
Now, INSTALL_PACKAGES android:protectionLevel is "signatureOrSystem" which means the app needs to be signed with the same certificate that was used to sign the system image.
Now to sign one's app with the same certificate as the one used to sign the system image might seem like a difficult if not impossible task since vendors may not be to willing to let other's use their certificate. Then again, some might want your app included in their system image. In any case it doesn't matter per sey since it's Android and Android has a ROM market.
Android ROMS are more and more synonymous with the general 'workings' or 'features' of Android. It is something that Android users come to expect. There are ROM manager apps available on the Android market that will list and install ROMs etc..
So in essense for an app to gain the INSTALL_PACKAGES permission one can make their own ROM, OR, work with the people who make ROMS and either have the app included with the ROM or use the certificate used to sign the ROM's system image to sign the app.
Again it is entirely possible that a vendor include the app in their "firmware" (system image). You would have to approach them.
:)
if both are your app use .content provider to share data between apps.and if other app is from another developer then you simply can't modify the app.