What is happening under the hood? somehow this is passed down to the OS, and someshow the OS will find the right activity / activities, and launch it? Is there a service / lib running in Android handling this? I am trying to modified the OS to override the logic of startActivity across the board, is this possible?
Thanks.
I would take a look at the Android source! Whenever I'm developing and I run into an issue I read through the source to discover what is happening under the hood; it's quite interesting! It's an insight into what's actually going on, and also very good guidelines for documentation and code formatting!
http://source.android.com/source/downloading.html
A good starting point might be ActivityManagerService
Basically, when an app is first launched, startProcessLocked() in ActivityManagerService creates a new ProcessRecord (if necessary) and then calls Process.start(), which in turns builds the arguments for zygote and sends to zygote's socket using zygoteSendArgsAndGetResult(). Of course there's more to it than that, for example if an app shares a uid, is isolated, etc. But that gives you the basic process.
Looking over the source is indeed a good way to understand what's going on. However, unless you're planning on modifying it, don't bother downloading AOSP, just use GrepCode. Easier to browse, search and everything is hyperlinked so it's easy to follow through to classes, find usages, derived methods, etc. If you download AOSP, you'll be stuck with grep, ack-grep if you're lucky and a text editor. Also, you'll only have the one version you picked to checkout. GrepCode has the code for almost every version since 1.5.
The linked text above will take you to the relevant source at GrepCode. Try it out! The only downside is that GrepCode doesn't include the native C++ layer.
Related
I've recently had some tasks requiring that I need to log an Android app for some events, like adding to cart, checkout, signing in to the app, pressing on a specific button, etc... to Facebook and Firebase platforms.
Since these are non-functional requirements, I figured out it could be a good idea to start implementing the AOP (Aspect Oriented Programming) method, so events can be intercepted without changing any code in the app.
I've made my research and found out that you could implement AOP using either the AspectJ lang (which is compiled to Java Bytecode and can talk to java directly), or AspectJ annotations like #Before #After and #Around to intercept the pointcuts.
However, I have read some articles like This one And This one, they don't seem to be working for me, the code before of after the pointcut calls do not get invoked at all. I feel like I might have something missing or outdated in the build.gradle aspect code that is mentioned in the first article (which is 8 years old really).
I won't be providing any code here since I've tried the exact same examples in the tutorials and didn't work for me.
I'm asking for someone recently implemented AOP in his Android app.. And could provide me with some steps that I can follow, so I can get the code in the aspects invoked and working.
Also, I've seen some people on the internet trying to implement the aspects in another Android module, and some in another src directory, if someone would explain the difference? And since I'm using Firebase and Facebook dependencies to log the events, wouldn't making the aspects in a different module affect me in any way?
Also, if anyone knows if I'm approaching the best way here to log the events (for Firebase and Facebook), or there could be better? I've went to AOP since I don't feel like changing the existing code to log some events is ideal.
Please, and thank you.
I'm working on a drag and drop app builder. The concept is simple: users can build their apps visually, then the app's settings get turned into a configuration file which will be used by the app to decide how to construct itself (which views should be shown, how should the navigation look like, etc.)
My main concern is once the users download the apk (or ipa) file, they can decompile it, change things in the configuration file and re-compile/re-sign it to be published as a brand new app.
I was thinking about putting part of the logic on server side but that would introduce me the following problems:
If 1000 people built and published an app with my software, and each app sends only 10,000 daily requests to my server, that's already 10,000,000 requests per day, which would be pretty expensive.
If my server is down for any reason, I will have a lot of angry users coming at me.
Got any ideas?
There is no exact way of stopping decompilation/reverse engineering process of android app or apk !
But there Some chances to reduce the scope of code visiblity after decompilation/reverse engineering process !
Here are some habits I am sharing
1) Put important code on a Server : You may rely on remote procedure calls to a well protected server. This reduces the chance of your codes being stolen as the code will always remain on the server and nothing other than the results can be seen.
2) Debugger Detection Techniques : Insted of using the hard coated values or string use some formula or encryption methods which can help to hide the actual values
3) Write important parts of code in C/C++ :You can also write the important parts of your code in C/C++ and add them as a compiled library. While it can be disassembled into assembly code, reverse engineering a large library from assembly is extremely time-consuming. Java is easier to decompile in comparison to C/C++.
These are some key habits which are be taken care by good developer , You should also check out this answer as well !
Huh, I knew it wasn't possible to stop the decompilation/reverse engineering process on any android app. But, I thought maybe everything was possible! Like, perhaps something has changed since then, but no. Basically, I use the same steps as Nisarg Jani described. But, you have to pay some special attention to the C++ code. Any mistake will destroy everything that you have built to that moment. So, if you use a no-code desktop app builder, you should be aware of those "tips and tricks." Besides that, you should keep in mind that without the C++ code, you won't be able to do anything.
I'm hoping to write a tweak to record all activities running on a rooted Android phone. For example, I want to record the information such as:
2012-07-31 15:03 app1:Activity01:onCreate()
2012-07-31 15:04 app1:Activity01:onStart()
...
2012-07-31 15:05 app1:Activity01:onPause()
2012-07-31 15:05 app2:Activity01:onResume()
Is is possible to do it? If so, please kindly tell me where to find the related information, books or domain knowledge I should study to accomplish this task. I'm new on Android programming but familiar with C++ and Java.
Thanks a lot!
Each Android app is executed in its own process running its own instance of the Dalvik VM. The VM normally does not provide the information you are looking for across process boundaries.
If you feel like really hacking your Android you could investigate into these two approaches:
Modify the Android API classes, basically building your own android.jar, where you can override and extend existing functionality.
Try to use the VM's debugging facility to gain access to its runtime state (see e.g. Dalvik VM debug monitor).
Bottomline: Rooting your phone is child's play compared to those hacks.
However, I would advise against trying to 'hook' into Android the way you described, both for performance and stability reasons.
So the answer was it ain't possible in a normal app, even on a rooted phone.
See comments :-)
So I published my android app, I proguarded it, applied LVL and even changed some of the LVL code but offcourse, I found it cracked somewhere using a tool called Lucky Patcher. I am not going to ask how can I protect against 1 click tools like that, as I guess there is no single answer ( unless you have an idea and can point me toward).
I need to ask you to help figure out how my code was cracked. I understand that this tool takes APK file and removes licensing. Now given that, how can I take this APK file and reverse engineer it back to Java files to see how the tool cracked my code (so I fix it)
Please help me
Thanks
After Proguard, there's no way to decompile your code into humanly-readable Java.
While it makes the reverse engineering process more difficult, it's not impossible for a clever reverser to figure out the hidden algorithm.
As for tools,
Use android-apktool to decompile to smali and extract all the encoded xml resources.
Use dex2jar to translate Dalvik into jar
and finally jd-gui to see the resulting reversed java code
There's a lot of info here on how to go from a DEX file back to Java source. Also, have you looked at this blog post which addresses many of the ways to protect your source?
piracy is a big issue , and i don't think that any platform or OS can be fully protected from it .
however , google already made some tutorials regarding protection against it , for example:
http://www.google.com/events/io/2011/sessions/evading-pirates-and-stopping-vampires-using-license-verification-library-in-app-billing-and-app-engine.html
also:
http://android-developers.blogspot.co.il/2010/09/securing-android-lvl-applications.html
i think that you can also put some sophisticated obstacles using C instead of java.
also , as google suggests, consider using a different approach : make the core features free , and make the rest purchaseable via in-app billing . you can also add ads and a feature to remove them by in-app billing as well .
I was thinking about this and it seems like if you really wanted to secure your application from hackers there is really only 1 way to do it. You can implement all kinds of fancy methods of insuring your application is licensed and paid for as described in the google article but all it takes is a good hacker to decompile your application and find where the code is and then comment it out or change a function to always return true.
Instead, implement some portion of your application that is required for use in jni/ndk, and check for validation in that code. It doesn't have to be extremely complicated code but you can't just put something like a function (eg. checkValidity) as a user could easily comment the java call that calls into the ndk. Instead you should make some call to your ndk to actually do something that is non-trivial for your application to run -- something the user can't just comment out or switch out with a defined function that does the same thing. From within the ndk code do the verification of your application's integrity/licensing and if it fails kill the application or whatever you need to do.
In order to bypass this the hacker would need to re-implement the ndk code or reverse engineer it.. Which should be much more complicated and not worth while.
This obviously isn't a simple solution and still won't guarantee your application never gets hacked, but it should be much harder to break than the other methods..
I personally think that Obfuscation {Proguard, Dexguard} and native {.so} are pretty effective way to go if used properly.
It definitely deters less experienced 'players' and definitely complicates the life of even experienced 'players'
Don't simply copy/paste the Google android example codes....
I'm trying to recreate this progress bar clock gadget I built in iGoogle as a widget for Android devices.
It seems like it should be pretty straightforward, especially considering the code is only 75 lines, but I have very little experience with developing in Android - even more-so when considering that I would like it to be a widget.
Hopefully Google will develop (if they somehow aren't already) a translation tool to accomplish this task, but until this, I'm out of ideas.
So here are some questions:
Are there any conversion tools for this yet? Something that would allow you use a program and/or a web service to point to the XML file used for the iGoogle gadget and have the program/service return back the necessary project files needed fro Android apps?
I'm not sure if this approach mentioned above is at all possible, but I'm sure that an Android app can be developed to perform the same way as it does on iGoogle - it's pretty basic Javascript + CSS syntax.
In any case, where should I start and what tutorials (if any) exist with regards to this specific request of translating iGoogle gadgets into Android apps (preferably avoiding the "iframe" type of app framework that just points to the mobile version of a webpage).
Are my assumptions $| intentions out of scope here? I feel like this is an easily doable project via the traditional means of using Androids SDK with Eclipse, for example. I tried messing around with the online GUI that Google had for developing Android apps, but the programming interface was like Visual Basic for 3rd graders - it just wasn't too intuitive either.
Also, any other suggestions on what steps I could take to execute this task would be greatly appreciated. I'm just guessing on how this could be done potentially, but if anyone has done something like this already or has insight towards this conversion process that's more valuable than pure speculation as I was doing above, please answer back with some suggestions as to how to accomplish this iGoogle Gadget -> Android Application conversion process.
I found another somewhat similar question on SO, but it doesn't have the same end result that I'm looking for: iGoogle Gadget on Android Phone as APP or Widget
Thanks a bunch for any help!
So far there is no conversion tool that allows converting to an Android wiget a preexisting widget written for another system. You have to rewrite it.
I know some code generators exist, but I don't know them. They won't take the gadget you are referring to as a source, but maybe they can help you to redesign it for Android. This requires checking.