I would like to do some basic obfuscation of files in my assets folder.
I realize that this would only slow down a dedicated reverse engineer, but I'm mostly hoping just to deter casual extraction of some of our assets.
The files are in plain text, so I thought BASE64 might make sense, however it would be trivial for anyone to write a BASE64 decoder as far as I can see, so an added level of entropy seems to be called for.
Any suggestions would be appreciated.
You could encrypt your files with a secret key (that is hard-coded in your app).
Check out this answer for simple encrypt/decrypt routines
As of now the best way to protect the assets folder is to encode it and decode it at run time and you can manage the keys in your java code. No other way is fool proof.
Related
We are building completely offline commercial eLearning app. we have to store some important video locally in the app and we don't want that to be stolen by extracting apk.
Is there any good way to achieve this with encryption/decryption or password protection etc on native android or react-native.
We are trying various solutions but a better way from you will help us in saving time and learning.
You can't do it.
You can encrypt it, but application will need key to decrypt it. Key can be sniffed or extracted from bytecode. Or even screen can be recorded without any key extraction.
Don't spend time on making troubles for anyone, spend time on great content.
100% securing assets and video is not possible, but you can use these ways to avoid extracting more data, like source code, assets form your APK, and resources:
1. Use ProGuard to obfuscate application code
2. Use NDK using C and C++ to put your application core and secure part of code in .so files
3. To secure resources, don't include all important resources in the assets folder with APK. Download these resources at the time of application first start up.
yes, its possible to do secure videos by using encryption.
please follow the following steps.
Encrypt your videos.(you can optimize this process by only encrypting the starting frames of the video, in this way, it will not be readable by any other player and your decryption will not take much time). I can provide you more information about it.
As your app will be offline so you have to keep decryption key in the app. so break the key into parts and build the key programmatically to avoid key extraction.
Use pro guard to obfuscate your code.
Use FLAG_SECURE to avoid screenshots and recording.
Cheers!
I've been trying to decompile and extract useful data from an APK for some time now. This data is stored in CSV files inside an "assets" folder. Unfortunately, the developers got smart, and have begun encrypting these CSVs starting in July. I've exhausted every way I know of to try and turn these files into readable versions of themselves without any success. But then, I realized, there are a few files in the assets folder that haven't changed since well before July—thus, I have both the decrypted and encrypted versions of these files. Using this knowledge, is it possible to predict the encryption pattern that all other files in the directory went through?
I'm fairly sure that it was encrypted bit-level, not byte-level since there are a lot of unknown characters (represented as special question marks) while trying to read these CSVs using Notepad/TextEdit/Atom in UTF-8 mode (or any other mode except UTF-16, really).
You're talking about a "known plain text" attack. No modern, widely used
method is vulnerable to this kind of attack, but many home grown encryption
methods are. Even with known text, you need to know or guess a lot about
the details of the encryption algorithm.
A better plan might be to hack the software that you know is doing the
decrypting, which must contain both the algorithm and the key.
You'd have better luck simply guessing based on the encrypted output. You'll need to familiarize yourself with characteristics of the output of algorithms and compare against what you see. This is probably a lot easier for hashes but you're talking about encryption. To answer your question though, it's unlikely that you're going to be able to use an unencrypted version of a file to break the encrypted one. You might try encrypting that file using different algorithms and comparing the results. That might give you the algo but could take longer.
Alternatively, here are some tools I found that might be able to automate the process for you...
https://code.google.com/archive/p/aligot/
https://bitbucket.org/daniel_plohmann/simplifire.idascope
https://www.aldeid.com/wiki/IDA-Pro/plugins/FindCrypt2
To crack it, you're also going to need to find the key that was used to encrypt it. Since it's a program that obvious must be decrypted to use, that key shouldn't be impossible to find. It's either in the apk or on a server somewhere in which case use wireshark but I'm guessing it's embedded.
They might be usig DexGuard or ProGuard. Here's a related post What methods are being used to protect this Android APK: Reflection? Encryption? How do I reverse engineer it and analyze it?
If it's ProGuard you might start with something like this: http://proguard.sourceforge.net/manual/retrace/examples.html
Here's some info on that: How to decode ProGuard's obfuscated code precisely?
I generate a small metadata file (2KB) from my app which needs to be unreadable if the user browse through file system. These files will not be transferred elsewhere through my app.
After prolong research I figured I have to use Symmetry encryption. But I am lost what type of algorithm and how to use key/salt. Efficiency of the algorithm is important because the file is updated on onPause method.
Should I declare it in code and use that for all users or should I generate new one for each user. If I go with second option, where do I store the key/salt for later use. Should I obfuscate the code?
Please advice.
Currently I have short listed these two. Are they secure enough for my requirement? How can I improve them?
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
String Encryption in Android
i believe this question is already asked but i am not satisfied with their answers and posting it again here.
can someone please tell me how to safeguard my android app assets from copy cats who want to build similar app?
As always there is a trade-off between convenience and security. The more secure you want your app the less convenient it will be for you to develop.
The source code is inherently insecure due to ease of decompiling especially with rooted phone. To protect your source code you can obfuscate and/or encrypt your code which will prevent decompiling. Not exactly sure what tools are available for Android, but I am sure it will complicate your build process. If you just obfuscate, decompiling may still be possible, but will be much more difficult and will likely require the person attempting to decompile your code to know and understand Bytecode if a strong level of obfuscation is used.
To protect your assets, I believe your only option is to use encryption. Again this will complicate the app and/or build process depending on where you implement.
Even if you use encryption to protect your assets, you must protect the encryption key within your source code. Obviously, it does not matter what encryption scheme you use if your encryption key is in plaintext in the source code then anybody can grab the key and your asset and decrypt. All this does is add one more small fence to jump over.
However, if you correctly protect the encryption key and use a good encryption algorithm you should have less to worry about. This is a fairly complicated process though, it is difficult to use a key for encryption within your code and not keep it in plaintext. Even if you don't keep it in plaintext within the code, at some point it must be in memory to perform decryption. So if somebody can attach a debugger or dump memory at the right time, it will compromise the key. Of course, this requires a much more skilled adversary.
Overall, you need to decide exactly who you are worried about stealing your assets. If you are worried about the average Joe copying them, then you should be ok. If you are worried about a professional hacker, script kiddie, etc. gaining access to them then you are probably out of luck.
can someone please tell me how to safeguard my android app assets from copy cats who want to build similar app?
Generally, you can't. If it's in the app, anyone who wants to can get to them.
You are welcome to roll your own encryption scheme, or use tools like DexGuard. However, since the decryption engine and key must be in the app itself, all these do is increase the level of effort required to get to your assets. Making it more difficult will reduce the odds that somebody grabs the assets out of your APK, but it does not prevent the possibility. And, of course, there are other ways to get at much of this stuff (e.g., screenshots and image editors, recording audio played back by the app).
You can secure assets folder contents by encrypt it using strong encryption algorithms and decrypt them at runtime. Copycats cannot easily decrypt and get assets folder contents by simply extract apk using zip tools.
So that no one can see code and resources by changing extension .apk to .rar and extracting using winrar. Any help will be highly appreciated.
There is a feature in android sdk by default, that it compresses the .apk so it would be hardly difficul for rever-engenering it.
Sorry, you can't really without help of the framework. Some features are added to Jelly Bean (like doing some crypto with device unique key), but in pre 4.1 you are all on your own. You can't protect standard resources (but you'd try to have then in your own proprietary format and then "build" assets in apps. As for code - obfuscate using tools like pro guard AND then try to reverse engeener your own app to see how it looks. You may try to make reversing harder by using reflection, crypting some portions of code, adding complicated code that in fact does nothing but it's hard to follow for someone who learsn what you do etc, etc. In general cat & mouse game.
You cannot prevent apk being extracted using winrar, 7z , unzip tools because apk is also a king of a zip file. But if you can secure its contents like assets, strings by using encryption. You can decrypt these resources at run time so the others cannot easily get the contents in assets, raw, string resources.