Is an application build using unity3d for android obfuscated or in some form proguarded?.
I searched on net and read different views, some say that it is proguarded by default, some say to use a 3rd party code obfuscator to obfuscate the c# or javascript scripts before building for android????
what i want to know is-
what is the best approach when releasing an Android application made by unity3d on google play store, so that the code is obfuscated if someone tries to decompile it.
No it is not. There are plethora of tools that decompile the DLL's into it's respective original assets and source code files. This is one of the distinct downfalls for using .NET CIL languages, the lack of ability to hide from decompiling. For Android, it may be protected through a few different levels, but in the end if they wanted to get to your code they could because of .NET runtime. Reflector has been the defacto .NET decompiler for years, and there are plenty of resources on the internet that show how to use it to get compiled code, and allows you to convert to VB, C#, C++ and a few other options.
Like Gabe asserted above however, there's nothing too unique about Unity3D coding. Since it's such an open community and a good active user base giving away code and assets, and selling it, there's nothing top secret that can't be replicated elsewhere. The community for Unity3D is huge, hence the reason for the lack of uniqueness of your code, chances are you've gotten and compiled from other resources and put together. On that platform, it's rare for someone to do something 100% from scratch.
Related
Many third party whatsapp mods are developed with so many cool features like automatic replies, notifications when a person of interest comes online, message timer, etc.
When whatsapp hasn't released any source code and with reverse engineering becoming too tough how are these guys able to build such features?
They use reverse engineering, tools for reverse engineering 3rd party, closed, binary Android apps. These tools can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.
Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs)
Rebuilding decoded resources back to binary APK/JAR
With reverse engineering tools such as dex2jar and Apktool you can decompile an Apk.
But you need good knowledge about byte codes and Smali to modify the generated source.
I just read these topics:
Is there a way to get the source code from an APK file?
How to avoid reverse engineering of an APK file?
...and realized that you can't develop an android program without being possible for its .apk file to be reverse engineed.
You can use Proguard and tricks but still your code will not be completely hideable.
So if you want to make an app completely close-source what you have to do?
For example, what Facebook and Snapchat and Messenger (e.g) did so their source codes are not accessible?
Also, another question: if you upload your app on google play, then a user can get your .apk?
Thanks in advance!
Every app may be reverse engineered.
The difference is only time needed to do it.
Proguard is a minimal solution whish requires minimal efforts and provides a level of protection that is enough in most cases.
You may also use other obfuscation tools (for example, DexGuard).
Another way is making shared libraries with Android NDK and using it. Reverse engineering of native binaries is usually more difficult than Java classes.
Probably the only way to completely protect your algorithms is to remove them from user's device - move to a server. In that way application will do a requests, but computation will be performed on your server.
As for extracting APK - it is possible, as Giorgos Pippos wrote.
From what I know, there are programs you can use to extract an apk from your phone. For example APK Extractor is listed in the Play Store.
You can use this kind of apps to get the apks you want.
I'm student and and my favorite language is C#.
However i must create my first application for android and I have just found something about Xamarin. Does it make sense to use that instead of Java? Beacouse Java really doesn't match me.
It's a academic project, but also I'd like to deploy that to Google Play Store.
In the Xamarin shop I found that I can develop my application on the free version, but propable i need Xamarin.Forms and buy INDIE license, isn't it?
Adam, I will greatly encourage you to write your first app in native Android. Xamarin is an amazing tool set and you should keep tuned in to Xamarin but be rest assured that Xamarin or any other non native development tool is not for the beginners nor the faint of heart.
The reason I encourage you to get started with native Android is because of Documentation, Examples and Getting Unstuck. When you run into problem with native Android, either Google already have a sample project that addresses that issue with code example, or it has already been asked, debated and answered in StackOverflow.
One thing that will help you though is the complexity of your first project, if you choose a complex app you may never ship it. If you choose a moderate app, then the issue of having to know Java is essentially a mute point because the framework provides most of the plumbing code you need to accomplish most basic use cases. The remaining Java you will pick up as needed.
Goodluck
It dosnt matter if your develop with Xamarin or native Java. You will always have to know about the Android Framework.
Futher you don't need to use Xamarin.Forms, you could also write the UI Part platform specific.
The need for Xamarin.Form is that you code your UI once and be able to deploy them to iOS, Android and WindowsPhone devices.
I have my native android app in play store, in recent days my app gets multiple request frequently from a particular user, for time being in have blocked that particular device id, i fear would be there any chance to crawl my app?
Is there any way of crawling android app content?
Of course there is! You can open your APK like any zip archive and open whatever you want. You can use aapt tool from Android SDK to replace some parts. And you can decompile your code using undex tools. It will not be exactly what you used, but they will be able to modify your application.
You can do it harder for them, if you use some obfuscation tools like Proguard. You cannot prevent completely revealing your code however. It is much harder to disassemble native code, but still possible. Make sure you do not compile symbols for all functions into release library. See http://www.ibm.com/developerworks/aix/library/au-aix-symbol-visibility/ for examples.
If you have something really valuable, only secure way it to process data on your secured server without giving your code to the user. All code you give on the user's device can be decompiled. It differs only by how hard it is and how much he has to spend to do that.
I may not have understood what you meant by crawl your app though.
I am getting started with mobile apps development, but there are so many tools available to develop cross-platform apps, so I am really curious as to what was used to build certain apps.
Basically I would like to know if there is something like PEiD, but for mobile apps, or if there is an easy way to find out what was used to create a certain app I've downloaded from Google's/Apple's App Store (i.e. some sort of file or information inside the apk file).
EDIT
After searching a bit more I found this, which may work in a few cases: decompiling DEX into Java sourcecode
For instance, I decompiled one game that I had on my Android smartphone (and on my iPad) and found Cocos2d framework inside it.
Some cross platform tools let the programmer use web technologies (HTML, CSS and JavaScript) so then they can load these files into a WebView. If you were to dump the View hierarchy using DDMS you will see a WebView on it.
Having said that, the point of these frameworks is to generate the same end result as a native app, so I doubt there will be metadata somewhere in the .apk.