Generally we can get source code from the android installation package as shown in this reference link.
But, is it possible to secure the actual program code (source code) from a reverse engineer ?
The code that you write is converted into class files then dex files, so directly viewing the code is not possible. but however dex compilers can be used to de-compile the source code but that requires some good knowledge so for that you have to obfuscate the code. Google by default provides proguard so that you can protect the code
you can read about proguard from here
In simple words you cannot hide the source code, but just add this line proguard.config=proguard.cfg to your project.properties file so making it difficult to be decoded . You can check here for an example
No, because the android system has to be able to read it in order to run it. You can obfuscate it with tools like Proguard to make it harder to decompile, but there's no way to make it completely impossible.
Related
I am developing an android library and I want to hide it's code.
I am using other library, and for some of them, when trying to access their code with Android Studio, you only get the list of methods of the class and "/* compiled code*/" inside.
I am using pro-guard, but i can still access the source code of my library. Even if the methods and members names have been modified, the code is still readable and it is possible to read every hard coded strings.
How do I hide my code the same way those libraries do ?
Android Studio replaces the actual code with something like /* compiled code */ only if you don't have the actual source code for the library and the decompiler isn't activated. But it's trivial to either attach the source code or to install a decompiler.
You can display the bytecode of any class using javap. See Is it possible to view bytecode of Class file? for details.
Back to your original question: No, it's not possible to actually hide your code because the code is required to actually execute it. And if the code is there you can see the bytecode and decompile it. The best option you have is to obfuscate the code using Proguard which won't get you very far either regarding hiding your code. See How to avoid reverse engineering of an APK file? and Android ProGuard how to hide/obfuscate source code of exported library.
I want to encrypt .jar file of my android application so that it can't be decoded by any one to view the source code.
How can I achieve this?
It will always be possible to decompile it.
You can only obfuscate your code to make it harder to understand for humans. If your project insists of more than a few classes the effort to understand it will be higher than any one is willing to invest.
One tool to achieve this, which also reduces the size of your class-files is
ProGuard: http://proguard.sourceforge.net/
But there are quite some similar tools out there.
Firstly - you can exclude source code from jar files. It is not required at runtime. Class files are sufficient.
Encrypting will not help you, if you encrypt the files JVM will not be able to understand it.
As responded in the earlier answer, there will always be tools to decompile the byte codes, you can make it harder for the attacker to read so that it is not worth his time
I have been reading a lot about how malware writers repackage an existing benigh android .apk and repackage it to add malicious functionality.
Now, according to my understanding of the .apk file structure, each .apk file contains a single .dex file which is essentially java byte converted to .dex format. Also, the application has a binary XML called manifest.xml and other resource file and assets. If we have to add extra malicious functionality to the application then we have to modify the manifest.xml (which can be easily done by converting the binary xml back to normal xml), resources (which can be just replaced) and the .dex file.
But the .dex file has a particular structure. According to me any modification done to it should break the code. What techniques do the tools use to prevent the code from breaking because if are adding some malicious functionality to the original app, we are, in essence, adding an extra module.
What are some tools out there that support .apk file repackaging?
Thanks.
Edit: Some members might find it offending to discuss about reverse engineering. Iam research student working on Android Security. I need to know how .apk file repackaging works because this is my research topic. Also, talking openly about reverse engineering isn't a malicious act - books have been written on reverse engineering - using reverse engineering for malicious purposes is malicious :)
Security Information
Enable proguard in release mode. This will make it harder for reverse engineering. Also check this developer training documentation on security.
(from comment on this question)
Package signature validation
You can verify if a package has been repackaged by checking the signature. Some articles to help with that:
Retrieving APK signature during runtime.
Self checking an APK signature.
How to check APK signature.
(originally posted ad Verify Android apk has not been repackaged?)
Decompile DEX into Java
I answered a question about decompiling DEX code in the past. My original answer might be outdated by now but the question has been kept up to date by others. Here is an overview of some of the tools listed there.
A more complete version of
fred's
answer:
Manual way
First you need a tool to extract all the (compiled) classes on the
DEX to a JAR. There's one called dex2jar, which is made by a
chinese student.
Then, you can use jd-gui to decompile the classes on the JAR
to source code. The resulting source should be quite readable, as
dex2jar applies some optimizations.
1: http://code.google.com/p/dex2jar/
2: http://java.decompiler.free.fr/?q=jdgui
Automatic way
You can use APKTool. It
will automatically extract all the classes (.dex), resources
(.asrc), then it will convert binary XML to human-readable XML,
and it will also dissassemble the classes for you.
Disassembly will always be more robust than decompiling, especially with JARs obfuscated with Pro Guard!
Just tell APKTool to decode the APK into a directory, then modify
what you want, and finally encode it back to an APK. That's all.
Important: APKTool dissassembles. It doesn't decompile. The generated code won't be Java source. But you should be able to
read it, and even edit it if you're familiar with
jasmin. If you want Java source,
please go over the Manual way.
(original question: decompiling DEX into Java sourcecode)
I want to restrict my Android Application code to regenerate a code using reverse engineering process form my android .apk file. So then my application code will be secure but i don't know how to do this, please help me to restrict reverse engineering process to my android .apk file.
Thanks,
Android Developer.
The best you can do as far as I am aware is to obfuscate your code before deploying it.
Obfuscating, minifying etc will make the original code unreadable even if the code is decompiled. By unreadable I mean people will not easily be able to tell what variables are used for etc since they will no longer have meaningful names. The same goes for methods, etc.
"You cannot completely restrict Android apk from decompilation.
Because it uses dex formats any one can easily convert these dex files into jar file using publicly available tools like dex2jar.
But you can Obfuscate code to reduce code readability, you can also use native codes to prevent easy decompilation of code.
You can store some part your code in server and download them at runtime call function in library using Reflection concept,
which will help you to prevent your code from decompilation."
I am trying to prevent the app from being de-compiled and thus getting exposed. I know there is proguard which I can use to convert the java files to .smali files. But my question is, how secure are these .smali files?
When I did R&D on that, I got some results that .smali files can be converted back to java files. Is that true? Or else what is the best way to prevent the apk from decompiling? My app includes lot of financial details, so at any cost I should not be able to reveal them to the outside world or at least I am trying to make it very difficult to decompile it.
Note: I have already did lot of work on getting the working of proguard
Your answer would be greatly appreciated
Proguard is built in to later versions of the Android SDK. You just point to proguard.cfg and it will be used during release. I assume you know this bit.
Proguard is not related to smali. In the end all these tools output working bytecode and you can always recompile bytecode. Can't stop that. What proguard can do is rename all the symbols in your code so that the result is very hard to understand.
If you mean you are storing sensitive info in string literals in your app then don't do that. These can't be obfuscated or else your app wouldn't work. They are always visible as literals in the byte code.