I create an application in android.
I know .apk can convert into .zip and my layout and xml files are extracted.
Is there any way to avoid the decoding of xml?
How can i encode the apk so it cannot converted?
thanks
An .APK file is simply a .ZIP file with a predefined directory/file layout, there is no "conversion" (unless you're simply talking about changing the extension).
ProGuard can be used to obfuscate code, but there's no "standard" way of encoding/encrypting the XML files. You could encrypt/decrypt them manually yourself, but you'd be introducing a great amount of overhead at runtime for decryption, and many standard interfaces would not work because they expect the standard plan-text XML format. You're looking at a great deal of code to accomplish what you're asking. This is all assuming you're loking to encrypt your strings.xml, etc.
If you're looking to encrypt custom XML data files, there's a thread with some good suggestions here.
Related
I have been doing lot of research on how to prevent people from accessing the manifest and layout files.
i know proguard is used for obfuscating code, but then it works only on Java code not on the res folder.
I have been through some answers like download content at run time instead of keeping them in assets and all that. But for now my concern is not to protect asset files. In my case it's manifest and the res folder I need to take care of. I have many types of keys stored in there like analytics xml file app_tracker.xml for example.
This isn't only about the secret keys I have in xml files, but also the logic of layout designing that is at risk.
These are the threads I found while I was doing research, but nothing was of any help to me.
1) How to avoid reverse engineering of an APK file?
2) How to protect a java application from reverse-engineering or code stealing?
I know reverse engineering cannot be avoided, but is there any way I can protect my manifest from being readable from hackers?
You could take a look at DexGuard, which is the commercial variant of ProGuard. It allows you to also encrypt the layout files and obfuscate the content of the manifest and other resource files (together with many other things).
If a phone can parse the manifest in order to install the app, then a user can parse the manifest too. It's as simple as that.
On a side note, obfuscation doesn't prevent people from seeing what's in your app - it just gives you a false sense of security. The security model of your app should assume that anything contained in the apk is public knowledge.
Been having a little bit of trouble with this. Googled about and I can't really find anything. Saw a few things about setting text but I don't think that affects the string resource file or at least I can't make it affect the resource file. Help please!
No, you can't modify apk at the runtime. If you don't own source code, you can pull apk file to the computer and decompile it by using APKTool, for example. If you are working with data you get from internet/user, it should be kept inside DBs, files, whatever. In other words in internal or external storage. Please take a look on storage options you can use http://developer.android.com/guide/topics/data/data-storage.html
I would like to do some basic obfuscation of files in my assets folder.
I realize that this would only slow down a dedicated reverse engineer, but I'm mostly hoping just to deter casual extraction of some of our assets.
The files are in plain text, so I thought BASE64 might make sense, however it would be trivial for anyone to write a BASE64 decoder as far as I can see, so an added level of entropy seems to be called for.
Any suggestions would be appreciated.
You could encrypt your files with a secret key (that is hard-coded in your app).
Check out this answer for simple encrypt/decrypt routines
As of now the best way to protect the assets folder is to encode it and decode it at run time and you can manage the keys in your java code. No other way is fool proof.
I'm fetching byte array from server but don't know the exact extension of the file because that file could be .pdf / mp4 / docx / zip, so how would I know the exact extension after saving it to sdcard.
Any idea?
There's no way to reliably determine the file extension from the file contents. It's like trying to find out what was written on an envelope, if all you have is the letter itself.
You could guess, but that would be a difficult task (for example, a docx is also a zip file). There is specialized software for this (many operating systems include the file tool), and you might find a third-party library that you can use, but even if you do that, it's still a guess.
I'd rather concentrate on finding a way for the server to tell you the original file name in addition to the contents.
There is no proper way to determine the file extension right away.
However you can impose conditions for the specific file types like if the file extension is mp3 then do the certain task. For that you can use FilenameFilter.
Check the how-to-find-all-files-with-certain-extension-on-android for more information about it.
If it is custom protocol, you should pass one(or more) byte of data type to the client side, then you get data and add extension on the client side according to the first byte(s). If it is http-like protocol, you can add some header to the answer. But it is need to do as on the serverside as well as on the clientside too.
I have download an apk from the internet and decpress it using dex2jarf tool so its gives compiled,.classes files which i convert into .java file through decompiler but it gives me classes toa proper way like it gives a.java,b.java c.java which is difficult to me read.Can i get proper classes name through apk file same as it is used in project.plz help
Thanks
What you are trying to achieve is called deobfuscation.
Programmers who wish to protect their intellectual property obfuscate their code to make it more difficult to read for those who might want to steal/copy/plagiarise their hard work.
Obfuscators replace these names with short, machine generated alternatives. Rather than seeing a call to dontAllow(), an attacker would see a call to a(). This makes it more difficult to intuit the purpose of these functions without access to the original source code.
Src: http://android-developers.blogspot.ie/2010/09/securing-android-lvl-applications.html
There is no way to recover identifiers if they have been stripped out. Compilation is a lossy process, like converting a RAW image to a low quality JPEG. There's no way to go from JPEG back to RAW.
However, there are tools like jeb and ida that allow you to rename the classes yourself. When renamed, all references to that class also get renamed. This feature is sometimes called "refactoring". This is about the best way to do it, but it takes more time.
Also, there are plugins for jeb that help automate the refactoring by generating new, more descriptive names than 'a', 'b', etc. Here's an example from jcase, which you can modify to suit your needs: https://github.com/CunningLogic/myJEBPlugins/blob/master/DeCluster.java