Efficient way of using proguard in android - android

I am trying to prevent the app from being de-compiled and thus getting exposed. I know there is proguard which I can use to convert the java files to .smali files. But my question is, how secure are these .smali files?
When I did R&D on that, I got some results that .smali files can be converted back to java files. Is that true? Or else what is the best way to prevent the apk from decompiling? My app includes lot of financial details, so at any cost I should not be able to reveal them to the outside world or at least I am trying to make it very difficult to decompile it.
Note: I have already did lot of work on getting the working of proguard
Your answer would be greatly appreciated

Proguard is built in to later versions of the Android SDK. You just point to proguard.cfg and it will be used during release. I assume you know this bit.
Proguard is not related to smali. In the end all these tools output working bytecode and you can always recompile bytecode. Can't stop that. What proguard can do is rename all the symbols in your code so that the result is very hard to understand.
If you mean you are storing sensitive info in string literals in your app then don't do that. These can't be obfuscated or else your app wouldn't work. They are always visible as literals in the byte code.

Related

Decompiling and recompiling APK file

I'm currently working on analyzing some android malwares and i need to decompile APK files. Reading an answer and many other answers like it, i know that we can extract java source code and other resources, create a new project and put those files in, make some modifications and compile the project. Is this approach applicable to every APK file ? If we aim to make very little or no modifications in the java source code, does this approach work for every APK file? If not, what is the main reason?
As another question, i remember i read somewhere (can not find it now) that said converting dex to jar (with tools such as dex2jar) or decompiling dex to java (with tools such as JADX) is somehow lossy and causes information loss. Is there any such concept?
I ask this questions for educational purposes and i'm not aiming to do anything illegal.

Is it possible to edit/modify .so file?

I'm developing an Android application which contains native code.
The native code is compiled in a .so file that has important algorithms inside.
I'm really worrying about the possibility that my .so file can be edited or modified and then re-build (re-pack). Like apks they can be modified and repacked to create a new one
I have several questions here:
1) Is there any way to edit/modify .so files and re-build?
2) If there are, how do people do that?
3) How to prevent .so files from being edited then re-built?
The short answer is that anything that a computer can read and understand, it can also modify. There is no bullet-proof signature mechanism in Android for Java or native code. Still, the so files are generally considered much less vulnerable than the Java code, even with obfuscation turned on.
Reverse engineering a shared library is hard but possible. Disassembly, change, and assembly back is not hard if one knows what to change.
There are many ways to strengthen protection of your C++ code against reverse engineering, but none will hold against a determined and well-funded attack. So, if the stakes are very high, consider running the important part of your algorithm on your server, and prey for its security.

How to encrypt jar file of android application

I want to encrypt .jar file of my android application so that it can't be decoded by any one to view the source code.
How can I achieve this?
It will always be possible to decompile it.
You can only obfuscate your code to make it harder to understand for humans. If your project insists of more than a few classes the effort to understand it will be higher than any one is willing to invest.
One tool to achieve this, which also reduces the size of your class-files is
ProGuard: http://proguard.sourceforge.net/
But there are quite some similar tools out there.
Firstly - you can exclude source code from jar files. It is not required at runtime. Class files are sufficient.
Encrypting will not help you, if you encrypt the files JVM will not be able to understand it.
As responded in the earlier answer, there will always be tools to decompile the byte codes, you can make it harder for the attacker to read so that it is not worth his time

How to Create an application build securing the source code?

Generally we can get source code from the android installation package as shown in this reference link.
But, is it possible to secure the actual program code (source code) from a reverse engineer ?
The code that you write is converted into class files then dex files, so directly viewing the code is not possible. but however dex compilers can be used to de-compile the source code but that requires some good knowledge so for that you have to obfuscate the code. Google by default provides proguard so that you can protect the code
you can read about proguard from here
In simple words you cannot hide the source code, but just add this line proguard.config=proguard.cfg to your project.properties file so making it difficult to be decoded . You can check here for an example
No, because the android system has to be able to read it in order to run it. You can obfuscate it with tools like Proguard to make it harder to decompile, but there's no way to make it completely impossible.

How to Restrict to generate code form my Android .apk?

I want to restrict my Android Application code to regenerate a code using reverse engineering process form my android .apk file. So then my application code will be secure but i don't know how to do this, please help me to restrict reverse engineering process to my android .apk file.
Thanks,
Android Developer.
The best you can do as far as I am aware is to obfuscate your code before deploying it.
Obfuscating, minifying etc will make the original code unreadable even if the code is decompiled. By unreadable I mean people will not easily be able to tell what variables are used for etc since they will no longer have meaningful names. The same goes for methods, etc.
"You cannot completely restrict Android apk from decompilation.
Because it uses dex formats any one can easily convert these dex files into jar file using publicly available tools like dex2jar.
But you can Obfuscate code to reduce code readability, you can also use native codes to prevent easy decompilation of code.
You can store some part your code in server and download them at runtime call function in library using Reflection concept,
which will help you to prevent your code from decompilation."

Categories

Resources