Android security for apk - android

I'm developing an android application for my client. He wants me to submit the apk to him for testing. I almost finished the application and i want to implement some kind of security to make sure that my client doesn't cheat me, until the payment is done.
Is there any way to implement any kind of security in the code?

If you just need to send him/her the apk, you should obfuscate your source code . You can refer to this link——http://developer.android.com/tools/help/proguard.html,If you have finished it ,you needn't worry too much since the source code is in your hand and it's hard to get the source code by reserving. Besides your project has not finished . Last, even if your project is finished , it still works.

Did you ever hear of Proguard? This feature that you want is called Code obfuscation. Like pointed out in the comments, this is a duplicated question.

This library on github called AndroidTimeLock might be useful. It's specifically designed for sending a dev/test build that will expire and stop working. Of course if the person in question is technical and determined they could decompile the app, remove the timelock check and recompile.
Adding code obfuscation proguard (or as I prefer the paid DexGuard) would of course increase the difficulty of this.

You can make your core code builded a dex-format file.Then use some algorithms such as RC5 and others to encrypt your dex file.At last ,put the dex file in Asset file.Then when your project need the core code,you can dynmic loading/.

I have compiled almost all security vulnerabilities and what measures to take before submitting your application to the play store. You can have a look here.

Related

Drag & Drop app builder licensing. How do I make sure the source code won't be decompiled and re-used?

I'm working on a drag and drop app builder. The concept is simple: users can build their apps visually, then the app's settings get turned into a configuration file which will be used by the app to decide how to construct itself (which views should be shown, how should the navigation look like, etc.)
My main concern is once the users download the apk (or ipa) file, they can decompile it, change things in the configuration file and re-compile/re-sign it to be published as a brand new app.
I was thinking about putting part of the logic on server side but that would introduce me the following problems:
If 1000 people built and published an app with my software, and each app sends only 10,000 daily requests to my server, that's already 10,000,000 requests per day, which would be pretty expensive.
If my server is down for any reason, I will have a lot of angry users coming at me.
Got any ideas?
There is no exact way of stopping decompilation/reverse engineering process of android app or apk !
But there Some chances to reduce the scope of code visiblity after decompilation/reverse engineering process !
Here are some habits I am sharing
1) Put important code on a Server : You may rely on remote procedure calls to a well protected server. This reduces the chance of your codes being stolen as the code will always remain on the server and nothing other than the results can be seen.
2) Debugger Detection Techniques : Insted of using the hard coated values or string use some formula or encryption methods which can help to hide the actual values
3) Write important parts of code in C/C++ :You can also write the important parts of your code in C/C++ and add them as a compiled library. While it can be disassembled into assembly code, reverse engineering a large library from assembly is extremely time-consuming. Java is easier to decompile in comparison to C/C++.
These are some key habits which are be taken care by good developer , You should also check out this answer as well !
Huh, I knew it wasn't possible to stop the decompilation/reverse engineering process on any android app. But, I thought maybe everything was possible! Like, perhaps something has changed since then, but no. Basically, I use the same steps as Nisarg Jani described. But, you have to pay some special attention to the C++ code. Any mistake will destroy everything that you have built to that moment. So, if you use a no-code desktop app builder, you should be aware of those "tips and tricks." Besides that, you should keep in mind that without the C++ code, you won't be able to do anything.

How to go from cracked APK to java code? 1-click tool cracked my app

So I published my android app, I proguarded it, applied LVL and even changed some of the LVL code but offcourse, I found it cracked somewhere using a tool called Lucky Patcher. I am not going to ask how can I protect against 1 click tools like that, as I guess there is no single answer ( unless you have an idea and can point me toward).
I need to ask you to help figure out how my code was cracked. I understand that this tool takes APK file and removes licensing. Now given that, how can I take this APK file and reverse engineer it back to Java files to see how the tool cracked my code (so I fix it)
Please help me
Thanks
After Proguard, there's no way to decompile your code into humanly-readable Java.
While it makes the reverse engineering process more difficult, it's not impossible for a clever reverser to figure out the hidden algorithm.
As for tools,
Use android-apktool to decompile to smali and extract all the encoded xml resources.
Use dex2jar to translate Dalvik into jar
and finally jd-gui to see the resulting reversed java code
There's a lot of info here on how to go from a DEX file back to Java source. Also, have you looked at this blog post which addresses many of the ways to protect your source?
piracy is a big issue , and i don't think that any platform or OS can be fully protected from it .
however , google already made some tutorials regarding protection against it , for example:
http://www.google.com/events/io/2011/sessions/evading-pirates-and-stopping-vampires-using-license-verification-library-in-app-billing-and-app-engine.html
also:
http://android-developers.blogspot.co.il/2010/09/securing-android-lvl-applications.html
i think that you can also put some sophisticated obstacles using C instead of java.
also , as google suggests, consider using a different approach : make the core features free , and make the rest purchaseable via in-app billing . you can also add ads and a feature to remove them by in-app billing as well .
I was thinking about this and it seems like if you really wanted to secure your application from hackers there is really only 1 way to do it. You can implement all kinds of fancy methods of insuring your application is licensed and paid for as described in the google article but all it takes is a good hacker to decompile your application and find where the code is and then comment it out or change a function to always return true.
Instead, implement some portion of your application that is required for use in jni/ndk, and check for validation in that code. It doesn't have to be extremely complicated code but you can't just put something like a function (eg. checkValidity) as a user could easily comment the java call that calls into the ndk. Instead you should make some call to your ndk to actually do something that is non-trivial for your application to run -- something the user can't just comment out or switch out with a defined function that does the same thing. From within the ndk code do the verification of your application's integrity/licensing and if it fails kill the application or whatever you need to do.
In order to bypass this the hacker would need to re-implement the ndk code or reverse engineer it.. Which should be much more complicated and not worth while.
This obviously isn't a simple solution and still won't guarantee your application never gets hacked, but it should be much harder to break than the other methods..
I personally think that Obfuscation {Proguard, Dexguard} and native {.so} are pretty effective way to go if used properly.
It definitely deters less experienced 'players' and definitely complicates the life of even experienced 'players'
Don't simply copy/paste the Google android example codes....

Android code obfuscation and secure android application from piracy

Presently i am a newbie in android development .. I need to develop a secured android application so that i can save it from getteg pirated.
For security of application i have used RMS in J2ME.In J2ME i use to do following steps :
generate a serial number(some random number)
save that number in rms,on next launch of application display the
same serial number on screen and ask user to input valid activation
code then if user enters correct activation code then application
activates and flag is set to true and i save this flag value in
other rms
if flag value is true then home screen is displayed to user on
launching app again else activation page is displayed.
I want to implement this concept in android ..Please guide me how to do it.Or tell me if any body knows some better way for doing this in android.
Secondly I want to obfuscate the apk file before releasing the application..after goggling for 2 days i found that it can be done using proguard.But i am not getting how to obfuscate the code.Please guide and help me for sorting both issues.
Thanks
There isn't really a way to protect any sort of client-side code, whether it is an Android *.apk, a Java *.jar file, or a bit of JavaScript code that runs in your user's browser. The best way to protect yourself from piracy is to make the application dependent on some server-side computation that you provide.
Since you are using RMS, it sounds like you already require a server-side computation. Rather than bothering users to enter an activation code, why don't you associate this activation code with the user's email address when they purchase the application, and then why don't you use OAuth with their Google Account to verify that the user has an email address that is known to have purchased the application?
About RMS
Michael Aaron Safyan said everything, nothing to add.
About ProGuard
ProGuard is now integrated to the Android framework, and requires basically no work to be set up. You just have to enable it as explained in this article and if needed to customize its configuration. "If needed", as the default configuration is suitable for most of the projects. You just have to be careful with the use if the reflexion as most of the packages, classes and methods are going to be renamed by the obfuscation process.
The parallel to RMS in Android is SharedPreferences.
However, the sharedPreferences xml file is not as protected as the RMS files in J2ME (at least in some devices). Anyone with a rooted device can read and write this file easily...
Therefore, I suggest you read about Android's Application Licensing. It's far from perfect, but it's a built in feature you can integrate easily.
http://developer.android.com/guide/publishing/licensing.html
EDIT:
Obfuscation:
To obfuscate your project all you have to do is add proguard.config=proguard.cfg to your default.properties file.
The obfuscation will occur according to the configuration stated in the defult proguard.cfg file.
Note that your code will only be obfuscated when you build the final APK (Android Tools -> Export ...) and I recommend testing the final APK after obfuscation, especially when 3rd party libs are part of the build process

Android apps reverse engineering

Is there any way to protect an Android applications source code from reverse engineering, as explain in this post: http://blog.darrylsite.com/?p=23 ?
Hm, you are linking to an article in French...
Anyway, using ProGuard should make reverse engineering more difficult, although it can't prevent it completely: Dalvik bytecode contains sufficient clues about an application's structure. Obfuscation (as performed by ProGuard) makes this harder to understand, but given sufficient effort, one will still be able to figure out what is going on.
Your two tools will be code obfuscation and server side-processing.
For the first, obfuscating, the Android team encourages the use of Proguard..
The second is to do your sensitive processing on a server and set up good licensing model. This makes it so the user doesn't have access to even your compiled code. They only get the results of the code and in order to run it you can use licensing to verify they are a valid user. For more information about licensing on Android see Licensing.
Did you take a look at ProGuard?

About compiler and decompilation

I want to prevent anyone from apk reverse compilation. We need to do something. I browsed on the internet, but I still don't know the operational steps clearly.
Who can tell me how to do it?
Anyone's help is so welcome!! Thanks!!
You need an obfuscator. If you are running .NET or Java, these should be easy to find.
There is nothing to prevent people from decompiling your code. All you can do is make it as nasty to read as possible. Don't do this in source (as you will not be able to modify your code yourself), use an obfuscator to do it as a post build step.
Google recommends ProGuard. See this link in the Android docs for more information.
It won't prevent people from disassembling your code (you won't be able to stop that - after all, the operating system needs to disassemble your code to execute it!), but it will make it very hard to see what's going on.

Categories

Resources