I want to restrict my Android Application code to regenerate a code using reverse engineering process form my android .apk file. So then my application code will be secure but i don't know how to do this, please help me to restrict reverse engineering process to my android .apk file.
Thanks,
Android Developer.
The best you can do as far as I am aware is to obfuscate your code before deploying it.
Obfuscating, minifying etc will make the original code unreadable even if the code is decompiled. By unreadable I mean people will not easily be able to tell what variables are used for etc since they will no longer have meaningful names. The same goes for methods, etc.
"You cannot completely restrict Android apk from decompilation.
Because it uses dex formats any one can easily convert these dex files into jar file using publicly available tools like dex2jar.
But you can Obfuscate code to reduce code readability, you can also use native codes to prevent easy decompilation of code.
You can store some part your code in server and download them at runtime call function in library using Reflection concept,
which will help you to prevent your code from decompilation."
Related
This question already has answers here:
How to avoid reverse engineering of an APK file
(32 answers)
Closed 6 years ago.
I develop Android app and some of the codes are very private and confidential. I make encryption algorithm into my code to increase the safety.
But recently I read, when people having an .apk file, they can extract the java source code with 100% correct Source.
Not just that, people also can get .apk from Google Play Store Source
Does it means people who has my .apk can view all my source code(java, .xml layout, library)? If yes, all my hard work to have a secure app is not achieved.
Yes,hopefully There is a way of preventing other from getting your hard labor projects full source code .
Enable ProGuard for your android application. ant will call ProGuard to obfuscate your code.
Your code will be than shrinked as much as possible.Many functions and variables name will be replaced with shrinked form that nobody can decode or understand at all :)
More details are here: https://developer.android.com/studio/build/shrink-code.html
Note that enabling ProGuard takes build time much more than normal build time.So better to do it before release of your app.
The process is called Android Reverse Engeneering. As #ash12 said , you can use ProGuard to obfuscate your source code. But then it will be a serious security-compromise if u store your app credentials like api tokens ,passwords etc.. in the source.
Also You could take a look at DexGuard , which is the commercial variant of ProGuard. It allows you to also encrypt the layout files and obfuscate the content of the manifest and other resource files (together with many other things).
I'm developing an Android application which contains native code.
The native code is compiled in a .so file that has important algorithms inside.
I'm really worrying about the possibility that my .so file can be edited or modified and then re-build (re-pack). Like apks they can be modified and repacked to create a new one
I have several questions here:
1) Is there any way to edit/modify .so files and re-build?
2) If there are, how do people do that?
3) How to prevent .so files from being edited then re-built?
The short answer is that anything that a computer can read and understand, it can also modify. There is no bullet-proof signature mechanism in Android for Java or native code. Still, the so files are generally considered much less vulnerable than the Java code, even with obfuscation turned on.
Reverse engineering a shared library is hard but possible. Disassembly, change, and assembly back is not hard if one knows what to change.
There are many ways to strengthen protection of your C++ code against reverse engineering, but none will hold against a determined and well-funded attack. So, if the stakes are very high, consider running the important part of your algorithm on your server, and prey for its security.
I have been reading a lot about how malware writers repackage an existing benigh android .apk and repackage it to add malicious functionality.
Now, according to my understanding of the .apk file structure, each .apk file contains a single .dex file which is essentially java byte converted to .dex format. Also, the application has a binary XML called manifest.xml and other resource file and assets. If we have to add extra malicious functionality to the application then we have to modify the manifest.xml (which can be easily done by converting the binary xml back to normal xml), resources (which can be just replaced) and the .dex file.
But the .dex file has a particular structure. According to me any modification done to it should break the code. What techniques do the tools use to prevent the code from breaking because if are adding some malicious functionality to the original app, we are, in essence, adding an extra module.
What are some tools out there that support .apk file repackaging?
Thanks.
Edit: Some members might find it offending to discuss about reverse engineering. Iam research student working on Android Security. I need to know how .apk file repackaging works because this is my research topic. Also, talking openly about reverse engineering isn't a malicious act - books have been written on reverse engineering - using reverse engineering for malicious purposes is malicious :)
Security Information
Enable proguard in release mode. This will make it harder for reverse engineering. Also check this developer training documentation on security.
(from comment on this question)
Package signature validation
You can verify if a package has been repackaged by checking the signature. Some articles to help with that:
Retrieving APK signature during runtime.
Self checking an APK signature.
How to check APK signature.
(originally posted ad Verify Android apk has not been repackaged?)
Decompile DEX into Java
I answered a question about decompiling DEX code in the past. My original answer might be outdated by now but the question has been kept up to date by others. Here is an overview of some of the tools listed there.
A more complete version of
fred's
answer:
Manual way
First you need a tool to extract all the (compiled) classes on the
DEX to a JAR. There's one called dex2jar, which is made by a
chinese student.
Then, you can use jd-gui to decompile the classes on the JAR
to source code. The resulting source should be quite readable, as
dex2jar applies some optimizations.
1: http://code.google.com/p/dex2jar/
2: http://java.decompiler.free.fr/?q=jdgui
Automatic way
You can use APKTool. It
will automatically extract all the classes (.dex), resources
(.asrc), then it will convert binary XML to human-readable XML,
and it will also dissassemble the classes for you.
Disassembly will always be more robust than decompiling, especially with JARs obfuscated with Pro Guard!
Just tell APKTool to decode the APK into a directory, then modify
what you want, and finally encode it back to an APK. That's all.
Important: APKTool dissassembles. It doesn't decompile. The generated code won't be Java source. But you should be able to
read it, and even edit it if you're familiar with
jasmin. If you want Java source,
please go over the Manual way.
(original question: decompiling DEX into Java sourcecode)
Generally we can get source code from the android installation package as shown in this reference link.
But, is it possible to secure the actual program code (source code) from a reverse engineer ?
The code that you write is converted into class files then dex files, so directly viewing the code is not possible. but however dex compilers can be used to de-compile the source code but that requires some good knowledge so for that you have to obfuscate the code. Google by default provides proguard so that you can protect the code
you can read about proguard from here
In simple words you cannot hide the source code, but just add this line proguard.config=proguard.cfg to your project.properties file so making it difficult to be decoded . You can check here for an example
No, because the android system has to be able to read it in order to run it. You can obfuscate it with tools like Proguard to make it harder to decompile, but there's no way to make it completely impossible.
I am trying to prevent the app from being de-compiled and thus getting exposed. I know there is proguard which I can use to convert the java files to .smali files. But my question is, how secure are these .smali files?
When I did R&D on that, I got some results that .smali files can be converted back to java files. Is that true? Or else what is the best way to prevent the apk from decompiling? My app includes lot of financial details, so at any cost I should not be able to reveal them to the outside world or at least I am trying to make it very difficult to decompile it.
Note: I have already did lot of work on getting the working of proguard
Your answer would be greatly appreciated
Proguard is built in to later versions of the Android SDK. You just point to proguard.cfg and it will be used during release. I assume you know this bit.
Proguard is not related to smali. In the end all these tools output working bytecode and you can always recompile bytecode. Can't stop that. What proguard can do is rename all the symbols in your code so that the result is very hard to understand.
If you mean you are storing sensitive info in string literals in your app then don't do that. These can't be obfuscated or else your app wouldn't work. They are always visible as literals in the byte code.