I am developing an application that has SQLite database to store personal information that must be protected. What are some ways of protecting these personal data? An APK can easily be de-compiled completely, so how can we secure an APK? Additionally, how can a database of a mobile application be protected?
Basically, there are 5 methods to protect your APK being cracking/ reversing/ repackaging:
1. Isolate Java Program
The easiest way is to make users unable to access to the Java Class program. This is the most fundamental way, and it has a variety of specific ways to achieve this. For example, developers can place the key Java Class on the server, clients acquire services by access relevant interfaces of the server rather than access to the Class file directly. So there is no way for hackers to decompile Class files. Currently, there are more and more standards and protocols services provided through interfaces, such as HTTP, Web Service, RPC, etc. But there are lots of applications are not suitable for this protection. For example, Java programs in stand-alone programs are unable to isolate.
2. Encrypt Class Files
To prevent Class files from being decompiled directly, many developers will encrypt some key Class files, such as registration number, serial number management and other related classes. Before using these encrypted classes, the program needs to decrypt these classes first, then loading these classes into JVM. These classes can be decrypted by hardware, or software.
Developers often loading cryptographic classes through a customed ClassLoader class (Applet does not support customed ClassLoader because of security). Customed ClassLoader will find cryptographic classes first, then decrypt them. And finally loading the decrypted classes to JVM. Customed ClassLoader is a very important class in this protect method. Because it itself is not encrypted, it may be the first target of a hacker. If the relevant decryption key and algorithm have been overcome, then the encrypted classes can easily be decrypted.
3. Convert to Native Codes
Convert program to native codes is also an effective way to prevent decompilation. Because native codes are often difficult to be decompiled. Developers can convert the entire application to native codes, or they can also convert only key modules. If just convert key part of the modules, it will need JNI technology to call when Java programs are using these modules. It abandoned Java's cross-platform feature when using this mothod to protect Java programs. For different platforms, we need to maintain different versions of the native codes, which will increase software support and maintenance workload. But for some key modules, sometimes this solution is often necessary. In order to guarantee these native codes will not be modified or replaced, developers often need to digitally sign these codes. Before using these native codes, developers often need to authenticate these local codes to ensure that these codes have not changed by hackers. If the signature check is passed, then developers can call relevant JNI methods.
4. Code Obfuscation
Code obfuscation is to re-organize and process Class file, making the treated codes accomplish the same function (semantics) with the untreated codes. But the obfuscated codes are difficult to be decompiled, i.e., the decompiled codes are very difficult to understand, therefore decompile staffs are hard to understand the really semantics. Theoretically, if hackers have enough time, obfuscated codes may still be cracked. Even some people are developing de-obfuscate tool. But from the actual situation, since the diversified development of obfuscation, the mature of obfuscation theory, obfuscated Java codes can well prevent decompilation.
5. Online Encryption
APK Protect was an online encryption website for APK, but activity has apparently been discontinued since 2013 or so. It provided Java codes and C++ codes protection to achieve anti-debugging and decompile effects.
I originally suggested you use this last method for it could save you more time. Based on my experience, it was very simple to operate and it wouldn't take long time.
With Jellybean this has now become a possibility.
$ openssl enc -aes-128-cbc -K 000102030405060708090A0B0C0D0E0F
-iv 000102030405060708090A0B0C0D0E0F -in my-app.apk -out my-app-enc.apk
$ adb install --algo 'AES/CBC/PKCS5Padding' --key 000102030405060708090A0B0C0D0E0F
--iv 000102030405060708090A0B0C0D0E0F my-app-enc.apk
pkg: /data/local/tmp/my-app-enc.apk
Success
Please read the following blog post for further details
If this is secret information that must not fall into the hands of your users, you cannot secure it. It is fundamentally impossible to put information on a device (code or data), and have your application access it, but not allow someone with the device to have access to that information.
Encrypting the information is pointless from a security point of view, because your application has to contain whatever is needed to decrypt it in order to use it, and a sufficiently motivated attacker can always extract that and decrypt it on their own.
All you can do is make it more annoying and time consuming to get access to that information, which only helps if there's not really that much of a need to keep it secret. This is what using proguard to obfuscate your .apk file can do.
Have you considered sqlite encryption? See this thread - sqlite encryption for android
As for protecting your .apk, try obfuscating your code using proguard. See http://developer.android.com/guide/developing/tools/proguard.html
You can try 'Anti Decompiler(Android)Trial'
https://play.google.com/store/apps/details?id=com.tth.AntilDecompilerTrial
It makes something Proguard doesn't:
Hide all const values (string, character), you will never see clear text like "my key", "my val"... in your apk file
Obfuscate file name, which is referenced in AndroidManifest.xml
Add fake code to your source code. Event the powerful decompilers likes: dex2jar, jd-gui,... can't reverse exactly your apk file. Most of functions will show with comment 'Error'.
=====
After transforming, if you give someone your source project, it will be nearly impossible to read and understand.
This solution doesn't exclude Proguard, You can combine them together. (function, field Obfuscation of Proguard is better than Obfuscation features of this solution)
You may read my post at: http://www.androidpit.com/en/android/forum/thread/567093/An-Analysis-of-Android-APK-Protect-Shell-APKProtect. The APK added with protect shell of APK Protect is seems unable decompile. I mean, the encrypt method is very advanced. Even a master hacker need long time to crack it.
If it is the database that contains sensitive data you can encrypt the values of several columns or the full database like mentioned in the other answer and make sure that the password is not stored on the device but has to be entered by the user on accessing the data.
If there are pieces of code you need to protect there's really no good way of securing it. All you can for a limited amount of use-cases is to create a dependency to an online service and secure the server. But for a lot of applications this would not be an option.
First, make apk that can never be modified and used. I do it by temper detection from the server. I use root check emulator check. Then on the important activity, it checks root and emulator on every oncreate and on resume, deletes important data on onpause, Great. Now encrypt data and place license to server, use SSL server. It app can not be modified and run, everything is safe for ever. Well, how to avoid decompiler and online tamper detection. I do placing a huge code to generate some sample string from apk file, and compare it with an apk copy placed on the server. I have converted apk file to string. Just enjoy.
Related
We are building completely offline commercial eLearning app. we have to store some important video locally in the app and we don't want that to be stolen by extracting apk.
Is there any good way to achieve this with encryption/decryption or password protection etc on native android or react-native.
We are trying various solutions but a better way from you will help us in saving time and learning.
You can't do it.
You can encrypt it, but application will need key to decrypt it. Key can be sniffed or extracted from bytecode. Or even screen can be recorded without any key extraction.
Don't spend time on making troubles for anyone, spend time on great content.
100% securing assets and video is not possible, but you can use these ways to avoid extracting more data, like source code, assets form your APK, and resources:
1. Use ProGuard to obfuscate application code
2. Use NDK using C and C++ to put your application core and secure part of code in .so files
3. To secure resources, don't include all important resources in the assets folder with APK. Download these resources at the time of application first start up.
yes, its possible to do secure videos by using encryption.
please follow the following steps.
Encrypt your videos.(you can optimize this process by only encrypting the starting frames of the video, in this way, it will not be readable by any other player and your decryption will not take much time). I can provide you more information about it.
As your app will be offline so you have to keep decryption key in the app. so break the key into parts and build the key programmatically to avoid key extraction.
Use pro guard to obfuscate your code.
Use FLAG_SECURE to avoid screenshots and recording.
Cheers!
What I want to know is can a signed apk be extracted and edited? And can the attacker again compress the apk and attack a victim?
I know that we can use proguard to obscure the code but some people said that the apk still can be extracted and modified through reverse engineering.
My main concern is I want to encrypt my java files because I have some authentication data in my java files.
Can anyone give me a bulletproof method to protect java files from being inaccessible.
Edit -
Found few old thread in stack but they never explained about signed apk and protect them from getting exploited.
Yes. Cryptographic signing is not encryption. Signing proves that whoever signed it knew a secret key. Assuming the key is kept secure, you can be sure that two files signed by the same key are from the same person. With some forms of signing with public and private keys, it can be used to prove the identity of the signer. This does not provide any protection against reading that data, although it does provide protection against a counterfeit copy of the app being claimed as the real thing (assuming the user pays attention to the signature).
There is no way to do what you want to do. In the end, an app has to be run by a processor or interpreter. That means it needs to be translated into instructions that the processor understands. If you want something to be secure, do not put it on a client device. There is no way to protect it if you're sending it to a device that needs to decrypt it and use it.
Any APK can be decompressed and have its sources read. You cannot, however, edit it and sign it without the signing key.
There is no way to encrypt your source files and everything inside of them is readable by anyone. Authentication data shouldn't be stored in an application if it is expected to be secret.
signed apks can easily be reverse engineered. You should never place authentication data in the source code. There is no bullet proof solution for this. However you can make it difficult for the attacker by encoding and not placing your critical data in obvious places.
You should use another way to use your authentication data, I've read something about building a binary and storing inside the lib directory as a .so file, I'm not sure how exactly it's the proccess because I didn't tried, but you can research another methods, storing private data on Java source it's not secure.
I've been trying to decompile and extract useful data from an APK for some time now. This data is stored in CSV files inside an "assets" folder. Unfortunately, the developers got smart, and have begun encrypting these CSVs starting in July. I've exhausted every way I know of to try and turn these files into readable versions of themselves without any success. But then, I realized, there are a few files in the assets folder that haven't changed since well before July—thus, I have both the decrypted and encrypted versions of these files. Using this knowledge, is it possible to predict the encryption pattern that all other files in the directory went through?
I'm fairly sure that it was encrypted bit-level, not byte-level since there are a lot of unknown characters (represented as special question marks) while trying to read these CSVs using Notepad/TextEdit/Atom in UTF-8 mode (or any other mode except UTF-16, really).
You're talking about a "known plain text" attack. No modern, widely used
method is vulnerable to this kind of attack, but many home grown encryption
methods are. Even with known text, you need to know or guess a lot about
the details of the encryption algorithm.
A better plan might be to hack the software that you know is doing the
decrypting, which must contain both the algorithm and the key.
You'd have better luck simply guessing based on the encrypted output. You'll need to familiarize yourself with characteristics of the output of algorithms and compare against what you see. This is probably a lot easier for hashes but you're talking about encryption. To answer your question though, it's unlikely that you're going to be able to use an unencrypted version of a file to break the encrypted one. You might try encrypting that file using different algorithms and comparing the results. That might give you the algo but could take longer.
Alternatively, here are some tools I found that might be able to automate the process for you...
https://code.google.com/archive/p/aligot/
https://bitbucket.org/daniel_plohmann/simplifire.idascope
https://www.aldeid.com/wiki/IDA-Pro/plugins/FindCrypt2
To crack it, you're also going to need to find the key that was used to encrypt it. Since it's a program that obvious must be decrypted to use, that key shouldn't be impossible to find. It's either in the apk or on a server somewhere in which case use wireshark but I'm guessing it's embedded.
They might be usig DexGuard or ProGuard. Here's a related post What methods are being used to protect this Android APK: Reflection? Encryption? How do I reverse engineer it and analyze it?
If it's ProGuard you might start with something like this: http://proguard.sourceforge.net/manual/retrace/examples.html
Here's some info on that: How to decode ProGuard's obfuscated code precisely?
i believe this question is already asked but i am not satisfied with their answers and posting it again here.
can someone please tell me how to safeguard my android app assets from copy cats who want to build similar app?
As always there is a trade-off between convenience and security. The more secure you want your app the less convenient it will be for you to develop.
The source code is inherently insecure due to ease of decompiling especially with rooted phone. To protect your source code you can obfuscate and/or encrypt your code which will prevent decompiling. Not exactly sure what tools are available for Android, but I am sure it will complicate your build process. If you just obfuscate, decompiling may still be possible, but will be much more difficult and will likely require the person attempting to decompile your code to know and understand Bytecode if a strong level of obfuscation is used.
To protect your assets, I believe your only option is to use encryption. Again this will complicate the app and/or build process depending on where you implement.
Even if you use encryption to protect your assets, you must protect the encryption key within your source code. Obviously, it does not matter what encryption scheme you use if your encryption key is in plaintext in the source code then anybody can grab the key and your asset and decrypt. All this does is add one more small fence to jump over.
However, if you correctly protect the encryption key and use a good encryption algorithm you should have less to worry about. This is a fairly complicated process though, it is difficult to use a key for encryption within your code and not keep it in plaintext. Even if you don't keep it in plaintext within the code, at some point it must be in memory to perform decryption. So if somebody can attach a debugger or dump memory at the right time, it will compromise the key. Of course, this requires a much more skilled adversary.
Overall, you need to decide exactly who you are worried about stealing your assets. If you are worried about the average Joe copying them, then you should be ok. If you are worried about a professional hacker, script kiddie, etc. gaining access to them then you are probably out of luck.
can someone please tell me how to safeguard my android app assets from copy cats who want to build similar app?
Generally, you can't. If it's in the app, anyone who wants to can get to them.
You are welcome to roll your own encryption scheme, or use tools like DexGuard. However, since the decryption engine and key must be in the app itself, all these do is increase the level of effort required to get to your assets. Making it more difficult will reduce the odds that somebody grabs the assets out of your APK, but it does not prevent the possibility. And, of course, there are other ways to get at much of this stuff (e.g., screenshots and image editors, recording audio played back by the app).
You can secure assets folder contents by encrypt it using strong encryption algorithms and decrypt them at runtime. Copycats cannot easily decrypt and get assets folder contents by simply extract apk using zip tools.
Is very easy extract the apk app from the phone through application managers (like Astro).
Google had a base protection that has been abandoned in favor of the more effective license managing,
however the old protection made more complicate the indiscriminate share of the apk outside the Google Play market.
The LVL has an opensource library, but I haven't find anything about the implementation of the GooglePlay base anti-apk-copy protection.
Would be useful a similar solution in addition to the license managing protection.
I have seen that some apps still prevent the apk copy in the same way of the old Google Play protection.
Is there somebody that know how the anti-apk-copy works, or if there is a similar open source protection library?
Somebody have asked what should be the reason for this kind of operation.
The reasons are many:
-Avoid the indiscriminate diffusion of APK through unauthorized channels
-Avoid that the first noob simply opening your APK with winzip could extract all
resources (as PNG images, buttons, textures, DB etc.) for his use easily
-Improve the general security
PS
I know that for every protection there is always a workaround to break it, however this doesn't mean that leave very easy ways to abuse of your work is always the best choice.
I think it's difficult to prevent someone from copying files out of the device. But why do you want to achieve this? If you are only for secure reasons, there are some other methods.
Basicly you can take proguard to obscure the code. If this is not enough, I know in java, there is a mechanism that could encrypt .jar files and use custom ClassLoader to decrypt the file and load class.
This could also be used in android.
Use c and jni to provide encrypt/decrypt apis. (decompiling .so files is more complicated.)
Package the core to a jar file. Encrypt the jar and put it in the assets/.
Use a new DexClassLoader to replace the default one. Try to decrypt the .jar file and load class.